diff options
151 files changed, 3548 insertions, 877 deletions
@@ -1,3 +1,1779 @@ +Changes in version 0.2.2.36 - 2012-04-?? + Tor 0.2.2.36 updates the addresses for two of the eight directory + authorities, fixes some potential anonymity and security issues, + and fixes several crash bugs. + + Tor 0.2.1.x has reached its end-of-life. Those Tor versions have many + known flaws, and nobody should be using them. You should upgrade. If + you're using a Linux or BSD and its packages are obsolete, stop using + those packages and upgrade anyway. + + o Directory authority changes: + - Change IP address for maatuska (v3 directory authority). + - Change IP address for ides (v3 directory authority), and rename + it to turtles. + + o Security fixes: + - When building or running with any version of OpenSSL earlier + than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL + versions have a bug (CVE-2011-4576) in which their block cipher + padding includes uninitialized data, potentially leaking sensitive + information to any peer with whom they make a SSLv3 connection. Tor + does not use SSL v3 by default, but a hostile client or server + could force an SSLv3 connection in order to gain information that + they shouldn't have been able to get. The best solution here is to + upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building + or running with a non-upgraded OpenSSL, we disable SSLv3 entirely + to make sure that the bug can't happen. + - Never use a bridge or a controller-supplied node as an exit, even + if its exit policy allows it. Found by wanoskarnet. Fixes bug + 5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors) + and 0.2.0.3-alpha (for bridge-purpose descriptors). + - Only build circuits if we have a sufficient threshold of the total + descriptors that are marked in the consensus with the "Exit" + flag. This mitigates an attack proposed by wanoskarnet, in which + all of a client's bridges collude to restrict the exit nodes that + the client knows about. Fixes bug 5343. + - Provide controllers with a safer way to implement the cookie + authentication mechanism. With the old method, if another locally + running program could convince a controller that it was the Tor + process, then that program could trick the contoller into telling + it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE" + authentication method uses a challenge-response approach to prevent + this attack. Fixes bug 5185, implements proposal 193. + + o Major bugfixes: + - Avoid logging uninitialized data when unable to decode a hidden + service descriptor cookie. Fixes bug 5647; bugfix on 0.2.1.5-alpha. + - Avoid a client-side assertion failure when receiving an INTRODUCE2 + cell on a general purpose circuit. Fixes bug 5644; bugfix on + 0.2.1.6-alpha. + - Fix builds when the path to sed, openssl, or sha1sum contains + spaces, which is pretty common on Windows. Fixes bug 5065; bugfix + on 0.2.2.1-alpha. + - Correct our replacements for the timeradd() and timersub() functions + on platforms that lack them (for example, Windows). The timersub() + function is used when expiring circuits, while timeradd() is + currently unused. Bug report and patch by Vektor. Fixes bug 4778; + bugfix on 0.2.2.24-alpha. + - Fix the SOCKET_OK test that we use to tell when socket + creation fails so that it works on Win64. Fixes part of bug 4533; + bugfix on 0.2.2.29-beta. Bug found by wanoskarnet. + + o Minor bugfixes: + - Make our number-parsing functions always treat too-large values + as an error, even when those values exceed the width of the + underlying type. Previously, if the caller provided these + functions with minima or maxima set to the extreme values of the + underlying integer type, these functions would return those + values on overflow rather than treating overflow as an error. + Fixes part of bug 5786; bugfix on 0.0.9. + - Older Linux kernels erroneously respond to strange nmap behavior + by having accept() return successfully with a zero-length + socket. When this happens, just close the connection. Previously, + we would try harder to learn the remote address: but there was + no such remote address to learn, and our method for trying to + learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix + on 0.1.0.3-rc. Reported and diagnosed by "r1eo". + - Change the BridgePassword feature (part of the "bridge community" + design, which is not yet implemented) to use a time-independent + comparison. The old behavior might have allowed an adversary + to use timing to guess the BridgePassword value. Fixes bug 5543; + bugfix on 0.2.0.14-alpha. + - Detect and reject certain misformed escape sequences in + configuration values. Previously, these values would cause us + to crash if received in a torrc file or over an authenticated + control port. Bug found by Esteban Manchado Velázquez, and + independently by Robert Connolly from Matta Consulting who further + noted that it allows a post-authentication heap overflow. Patch + by Alexander Schrijver. Fixes bugs 5090 and 5402 (CVE 2012-1668); + bugfix on 0.2.0.16-alpha. + - Fix a compile warning when using the --enable-openbsd-malloc + configure option. Fixes bug 5340; bugfix on 0.2.0.20-rc. + - During configure, detect when we're building with clang version + 3.0 or lower and disable the -Wnormalized=id and -Woverride-init + CFLAGS. clang doesn't support them yet. + - When sending an HTTP/1.1 proxy request, include a Host header. + Fixes bug 5593; bugfix on 0.2.2.1-alpha. + + o Minor bugfixes (documentation and log messages): + - Fix a typo in a log message in rend_service_rendezvous_has_opened(). + Fixes bug 4856; bugfix on Tor 0.0.6. + - Update "ClientOnly" man page entry to explain that there isn't + really any point to messing with it. Resolves ticket 5005. + - Document the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays + directory authority option (introduced in Tor 0.2.2.34). + - Downgrade the "We're missing a certificate" message from notice + to info: people kept mistaking it for a real problem, whereas it + is seldom the problem even when we are failing to bootstrap. Fixes + bug 5067; bugfix on 0.2.0.10-alpha. + - Correctly spell "connect" in a log message on failure to create a + controlsocket. Fixes bug 4803; bugfix on 0.2.2.26-beta. + + o Minor features: + - Directory authorities now reject versions of Tor older than + 0.2.1.30, and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha + inclusive. These versions accounted for only a small fraction of + the Tor network, and have numerous known security issues. Resolves + issue 4788. + - Update to the April 3 2012 Maxmind GeoLite Country database. + + - Feature removal: + - When sending or relaying a RELAY_EARLY cell, we used to convert + it to a RELAY cell if the connection was using the v1 link + protocol. This was a workaround for older versions of Tor, which + didn't handle RELAY_EARLY cells properly. Now that all supported + versions can handle RELAY_EARLY cells, and now that we're enforcing + the "no RELAY_EXTEND commands except in RELAY_EARLY cells" rule, + remove this workaround. Addresses bug 4786. + + +Changes in version 0.2.2.35 - 2011-12-16 + Tor 0.2.2.35 fixes a critical heap-overflow security issue in Tor's + buffers code. Absolutely everybody should upgrade. + + The bug relied on an incorrect calculation when making data continuous + in one of our IO buffers, if the first chunk of the buffer was + misaligned by just the wrong amount. The miscalculation would allow an + attacker to overflow a piece of heap-allocated memory. To mount this + attack, the attacker would need to either open a SOCKS connection to + Tor's SocksPort (usually restricted to localhost), or target a Tor + instance configured to make its connections through a SOCKS proxy + (which Tor does not do by default). + + Good security practice requires that all heap-overflow bugs should be + presumed to be exploitable until proven otherwise, so we are treating + this as a potential code execution attack. Please upgrade immediately! + This bug does not affect bufferevents-based builds of Tor. Special + thanks to "Vektor" for reporting this issue to us! + + Tor 0.2.2.35 also fixes several bugs in previous versions, including + crash bugs for unusual configurations, and a long-term bug that + would prevent Tor from starting on Windows machines with draconian + AV software. + + With this release, we remind everyone that 0.2.0.x has reached its + formal end-of-life. Those Tor versions have many known flaws, and + nobody should be using them. You should upgrade -- ideally to the + 0.2.2.x series. If you're using a Linux or BSD and its packages are + obsolete, stop using those packages and upgrade anyway. + + The Tor 0.2.1.x series is also approaching its end-of-life: it will no + longer receive support after some time in early 2012. + + o Major bugfixes: + - Fix a heap overflow bug that could occur when trying to pull + data into the first chunk of a buffer, when that chunk had + already had some data drained from it. Fixes CVE-2011-2778; + bugfix on 0.2.0.16-alpha. Reported by "Vektor". + - Initialize Libevent with the EVENT_BASE_FLAG_NOLOCK flag enabled, so + that it doesn't attempt to allocate a socketpair. This could cause + some problems on Windows systems with overzealous firewalls. Fix for + bug 4457; workaround for Libevent versions 2.0.1-alpha through + 2.0.15-stable. + - If we mark an OR connection for close based on a cell we process, + don't process any further cells on it. We already avoid further + reads on marked-for-close connections, but now we also discard the + cells we'd already read. Fixes bug 4299; bugfix on 0.2.0.10-alpha, + which was the first version where we might mark a connection for + close based on processing a cell on it. + - Correctly sanity-check that we don't underflow on a memory + allocation (and then assert) for hidden service introduction + point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410; + bugfix on 0.2.1.5-alpha. + - Fix a memory leak when we check whether a hidden service + descriptor has any usable introduction points left. Fixes bug + 4424. Bugfix on 0.2.2.25-alpha. + - Don't crash when we're running as a relay and don't have a GeoIP + file. Bugfix on 0.2.2.34; fixes bug 4340. This backports a fix + we've had in the 0.2.3.x branch already. + - When running as a client, do not print a misleading (and plain + wrong) log message that we're collecting "directory request" + statistics: clients don't collect statistics. Also don't create a + useless (because empty) stats file in the stats/ directory. Fixes + bug 4353; bugfix on 0.2.2.34. + + o Minor bugfixes: + - Detect failure to initialize Libevent. This fix provides better + detection for future instances of bug 4457. + - Avoid frequent calls to the fairly expensive cull_wedged_cpuworkers + function. This was eating up hideously large amounts of time on some + busy servers. Fixes bug 4518; bugfix on 0.0.9.8. + - Resolve an integer overflow bug in smartlist_ensure_capacity(). + Fixes bug 4230; bugfix on Tor 0.1.0.1-rc. Based on a patch by + Mansour Moufid. + - Don't warn about unused log_mutex in log.c when building with + --disable-threads using a recent GCC. Fixes bug 4437; bugfix on + 0.1.0.6-rc which introduced --disable-threads. + - When configuring, starting, or stopping an NT service, stop + immediately after the service configuration attempt has succeeded + or failed. Fixes bug 3963; bugfix on 0.2.0.7-alpha. + - When sending a NETINFO cell, include the original address + received for the other side, not its canonical address. Found + by "troll_un"; fixes bug 4349; bugfix on 0.2.0.10-alpha. + - Fix a typo in a hibernation-related log message. Fixes bug 4331; + bugfix on 0.2.2.23-alpha; found by "tmpname0901". + - Fix a memory leak in launch_direct_bridge_descriptor_fetch() that + occurred when a client tried to fetch a descriptor for a bridge + in ExcludeNodes. Fixes bug 4383; bugfix on 0.2.2.25-alpha. + - Backport fixes for a pair of compilation warnings on Windows. + Fixes bug 4521; bugfix on 0.2.2.28-beta and on 0.2.2.29-beta. + - If we had ever tried to call tor_addr_to_str on an address of + unknown type, we would have done a strdup on an uninitialized + buffer. Now we won't. Fixes bug 4529; bugfix on 0.2.1.3-alpha. + Reported by "troll_un". + - Correctly detect and handle transient lookup failures from + tor_addr_lookup. Fixes bug 4530; bugfix on 0.2.1.5-alpha. + Reported by "troll_un". + - Fix null-pointer access that could occur if TLS allocation failed. + Fixes bug 4531; bugfix on 0.2.0.20-rc. Found by "troll_un". + - Use tor_socket_t type for listener argument to accept(). Fixes bug + 4535; bugfix on 0.2.2.28-beta. Found by "troll_un". + + o Minor features: + - Add two new config options for directory authorities: + AuthDirFastGuarantee sets a bandwidth threshold for guaranteeing the + Fast flag, and AuthDirGuardBWGuarantee sets a bandwidth threshold + that is always sufficient to satisfy the bandwidth requirement for + the Guard flag. Now it will be easier for researchers to simulate + Tor networks with different values. Resolves ticket 4484. + - When Tor ignores a hidden service specified in its configuration, + include the hidden service's directory in the warning message. + Previously, we would only tell the user that some hidden service + was ignored. Bugfix on 0.0.6; fixes bug 4426. + - Update to the December 6 2011 Maxmind GeoLite Country database. + + o Packaging changes: + - Make it easier to automate expert package builds on Windows, + by removing an absolute path from makensis.exe command. + + +Changes in version 0.2.1.32 - 2011-12-16 + Tor 0.2.1.32 backports important security and privacy fixes for + oldstable. This release is intended only for package maintainers and + others who cannot use the 0.2.2 stable series. All others should be + using Tor 0.2.2.x or newer. + + The Tor 0.2.1.x series will reach formal end-of-life some time in + early 2012; we will stop releasing patches for it then. + + o Major bugfixes (also included in 0.2.2.x): + - Correctly sanity-check that we don't underflow on a memory + allocation (and then assert) for hidden service introduction + point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410; + bugfix on 0.2.1.5-alpha. + - Fix a heap overflow bug that could occur when trying to pull + data into the first chunk of a buffer, when that chunk had + already had some data drained from it. Fixes CVE-2011-2778; + bugfix on 0.2.0.16-alpha. Reported by "Vektor". + + o Minor features: + - Update to the December 6 2011 Maxmind GeoLite Country database. + + +Changes in version 0.2.2.34 - 2011-10-26 + Tor 0.2.2.34 fixes a critical anonymity vulnerability where an attacker + can deanonymize Tor users. Everybody should upgrade. + + The attack relies on four components: 1) Clients reuse their TLS cert + when talking to different relays, so relays can recognize a user by + the identity key in her cert. 2) An attacker who knows the client's + identity key can probe each guard relay to see if that identity key + is connected to that guard relay right now. 3) A variety of active + attacks in the literature (starting from "Low-Cost Traffic Analysis + of Tor" by Murdoch and Danezis in 2005) allow a malicious website to + discover the guard relays that a Tor user visiting the website is using. + 4) Clients typically pick three guards at random, so the set of guards + for a given user could well be a unique fingerprint for her. This + release fixes components #1 and #2, which is enough to block the attack; + the other two remain as open research problems. Special thanks to + "frosty_un" for reporting the issue to us! + + Clients should upgrade so they are no longer recognizable by the TLS + certs they present. Relays should upgrade so they no longer allow a + remote attacker to probe them to test whether unpatched clients are + currently connected to them. + + This release also fixes several vulnerabilities that allow an attacker + to enumerate bridge relays. Some bridge enumeration attacks still + remain; see for example proposal 188. + + o Privacy/anonymity fixes (clients): + - Clients and bridges no longer send TLS certificate chains on + outgoing OR connections. Previously, each client or bridge would + use the same cert chain for all outgoing OR connections until + its IP address changes, which allowed any relay that the client + or bridge contacted to determine which entry guards it is using. + Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un". + - If a relay receives a CREATE_FAST cell on a TLS connection, it + no longer considers that connection as suitable for satisfying a + circuit EXTEND request. Now relays can protect clients from the + CVE-2011-2768 issue even if the clients haven't upgraded yet. + - Directory authorities no longer assign the Guard flag to relays + that haven't upgraded to the above "refuse EXTEND requests + to client connections" fix. Now directory authorities can + protect clients from the CVE-2011-2768 issue even if neither + the clients nor the relays have upgraded yet. There's a new + "GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option + to let us transition smoothly, else tomorrow there would be no + guard relays. + + o Privacy/anonymity fixes (bridge enumeration): + - Bridge relays now do their directory fetches inside Tor TLS + connections, like all the other clients do, rather than connecting + directly to the DirPort like public relays do. Removes another + avenue for enumerating bridges. Fixes bug 4115; bugfix on 0.2.0.35. + - Bridges relays now build circuits for themselves in a more similar + way to how clients build them. Removes another avenue for + enumerating bridges. Fixes bug 4124; bugfix on 0.2.0.3-alpha, + when bridges were introduced. + - Bridges now refuse CREATE or CREATE_FAST cells on OR connections + that they initiated. Relays could distinguish incoming bridge + connections from client connections, creating another avenue for + enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha. + Found by "frosty_un". + + o Major bugfixes: + - Fix a crash bug when changing node restrictions while a DNS lookup + is in-progress. Fixes bug 4259; bugfix on 0.2.2.25-alpha. Bugfix + by "Tey'". + - Don't launch a useless circuit after failing to use one of a + hidden service's introduction points. Previously, we would + launch a new introduction circuit, but not set the hidden service + which that circuit was intended to connect to, so it would never + actually be used. A different piece of code would then create a + new introduction circuit correctly. Bug reported by katmagic and + found by Sebastian Hahn. Bugfix on 0.2.1.13-alpha; fixes bug 4212. + + o Minor bugfixes: + - Change an integer overflow check in the OpenBSD_Malloc code so + that GCC is less likely to eliminate it as impossible. Patch + from Mansour Moufid. Fixes bug 4059. + - When a hidden service turns an extra service-side introduction + circuit into a general-purpose circuit, free the rend_data and + intro_key fields first, so we won't leak memory if the circuit + is cannibalized for use as another service-side introduction + circuit. Bugfix on 0.2.1.7-alpha; fixes bug 4251. + - Bridges now skip DNS self-tests, to act a little more stealthily. + Fixes bug 4201; bugfix on 0.2.0.3-alpha, which first introduced + bridges. Patch by "warms0x". + - Fix internal bug-checking logic that was supposed to catch + failures in digest generation so that it will fail more robustly + if we ask for a nonexistent algorithm. Found by Coverity Scan. + Bugfix on 0.2.2.1-alpha; fixes Coverity CID 479. + - Report any failure in init_keys() calls launched because our + IP address has changed. Spotted by Coverity Scan. Bugfix on + 0.1.1.4-alpha; fixes CID 484. + + o Minor bugfixes (log messages and documentation): + - Remove a confusing dollar sign from the example fingerprint in the + man page, and also make the example fingerprint a valid one. Fixes + bug 4309; bugfix on 0.2.1.3-alpha. + - The next version of Windows will be called Windows 8, and it has + a major version of 6, minor version of 2. Correctly identify that + version instead of calling it "Very recent version". Resolves + ticket 4153; reported by funkstar. + - Downgrade log messages about circuit timeout calibration from + "notice" to "info": they don't require or suggest any human + intervention. Patch from Tom Lowenthal. Fixes bug 4063; + bugfix on 0.2.2.14-alpha. + + o Minor features: + - Turn on directory request statistics by default and include them in + extra-info descriptors. Don't break if we have no GeoIP database. + Backported from 0.2.3.1-alpha; implements ticket 3951. + - Update to the October 4 2011 Maxmind GeoLite Country database. + + +Changes in version 0.2.1.31 - 2011-10-26 + Tor 0.2.1.31 backports important security and privacy fixes for + oldstable. This release is intended only for package maintainers and + others who cannot use the 0.2.2 stable series. All others should be + using Tor 0.2.2.x or newer. + + o Security fixes (also included in 0.2.2.x): + - Replace all potentially sensitive memory comparison operations + with versions whose runtime does not depend on the data being + compared. This will help resist a class of attacks where an + adversary can use variations in timing information to learn + sensitive data. Fix for one case of bug 3122. (Safe memcmp + implementation by Robert Ransom based partially on code by DJB.) + - Fix an assert in parsing router descriptors containing IPv6 + addresses. This one took down the directory authorities when + somebody tried some experimental code. Bugfix on 0.2.1.3-alpha. + + o Privacy/anonymity fixes (also included in 0.2.2.x): + - Clients and bridges no longer send TLS certificate chains on + outgoing OR connections. Previously, each client or bridge + would use the same cert chain for all outgoing OR connections + for up to 24 hours, which allowed any relay that the client or + bridge contacted to determine which entry guards it is using. + Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by frosty_un. + - If a relay receives a CREATE_FAST cell on a TLS connection, it + no longer considers that connection as suitable for satisfying a + circuit EXTEND request. Now relays can protect clients from the + CVE-2011-2768 issue even if the clients haven't upgraded yet. + - Bridges now refuse CREATE or CREATE_FAST cells on OR connections + that they initiated. Relays could distinguish incoming bridge + connections from client connections, creating another avenue for + enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha. + Found by "frosty_un". + - When receiving a hidden service descriptor, check that it is for + the hidden service we wanted. Previously, Tor would store any + hidden service descriptors that a directory gave it, whether it + wanted them or not. This wouldn't have let an attacker impersonate + a hidden service, but it did let directories pre-seed a client + with descriptors that it didn't want. Bugfix on 0.0.6. + - Avoid linkability based on cached hidden service descriptors: forget + all hidden service descriptors cached as a client when processing a + SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6. + - Make the bridge directory authority refuse to answer directory + requests for "all" descriptors. It used to include bridge + descriptors in its answer, which was a major information leak. + Found by "piebeer". Bugfix on 0.2.0.3-alpha. + - Don't attach new streams to old rendezvous circuits after SIGNAL + NEWNYM. Previously, we would keep using an existing rendezvous + circuit if it remained open (i.e. if it were kept open by a + long-lived stream, or if a new stream were attached to it before + Tor could notice that it was old and no longer in use). Bugfix on + 0.1.1.15-rc; fixes bug 3375. + + o Minor bugfixes (also included in 0.2.2.x): + - When we restart our relay, we might get a successful connection + from the outside before we've started our reachability tests, + triggering a warning: "ORPort found reachable, but I have no + routerinfo yet. Failing to inform controller of success." This + bug was harmless unless Tor is running under a controller + like Vidalia, in which case the controller would never get a + REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha; + fixes bug 1172. + - Build correctly on OSX with zlib 1.2.4 and higher with all warnings + enabled. Fixes bug 1526. + - Remove undocumented option "-F" from tor-resolve: it hasn't done + anything since 0.2.1.16-rc. + - Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned. + None of the cases where we did this before were wrong, but by making + this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28. + - Fix a rare crash bug that could occur when a client was configured + with a large number of bridges. Fixes bug 2629; bugfix on + 0.2.1.2-alpha. Bugfix by trac user "shitlei". + - Correct the warning displayed when a rendezvous descriptor exceeds + the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by + John Brooks. + - Fix an uncommon assertion failure when running with DNSPort under + heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha. + - When warning about missing zlib development packages during compile, + give the correct package names. Bugfix on 0.2.0.1-alpha. + - Require that introduction point keys and onion keys have public + exponent 65537. Bugfix on 0.2.0.10-alpha. + - Do not crash when our configuration file becomes unreadable, for + example due to a permissions change, between when we start up + and when a controller calls SAVECONF. Fixes bug 3135; bugfix + on 0.0.9pre6. + - Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option. + Fixes bug 3208. + - Always NUL-terminate the sun_path field of a sockaddr_un before + passing it to the kernel. (Not a security issue: kernels are + smart enough to reject bad sockaddr_uns.) Found by Coverity; + CID #428. Bugfix on Tor 0.2.0.3-alpha. + - Don't stack-allocate the list of supplementary GIDs when we're + about to log them. Stack-allocating NGROUPS_MAX gid_t elements + could take up to 256K, which is way too much stack. Found by + Coverity; CID #450. Bugfix on 0.2.1.7-alpha. + + o Minor bugfixes (only in 0.2.1.x): + - Resume using micro-version numbers in 0.2.1.x: our Debian packages + rely on them. Bugfix on 0.2.1.30. + - Use git revisions instead of svn revisions when generating our + micro-version numbers. Bugfix on 0.2.1.15-rc; fixes bug 2402. + + o Minor features (also included in 0.2.2.x): + - Adjust the expiration time on our SSL session certificates to + better match SSL certs seen in the wild. Resolves ticket 4014. + - Allow nameservers with IPv6 address. Resolves bug 2574. + - Update to the October 4 2011 Maxmind GeoLite Country database. + + +Changes in version 0.2.2.33 - 2011-09-13 + Tor 0.2.2.33 fixes several bugs, and includes a slight tweak to Tor's + TLS handshake that makes relays and bridges that run this new version + reachable from Iran again. + + o Major bugfixes: + - Avoid an assertion failure when reloading a configuration with + TrackExitHosts changes. Found and fixed by 'laruldan'. Fixes bug + 3923; bugfix on 0.2.2.25-alpha. + + o Minor features (security): + - Check for replays of the public-key encrypted portion of an + INTRODUCE1 cell, in addition to the current check for replays of + the g^x value. This prevents a possible class of active attacks + by an attacker who controls both an introduction point and a + rendezvous point, and who uses the malleability of AES-CTR to + alter the encrypted g^x portion of the INTRODUCE1 cell. We think + that these attacks are infeasible (requiring the attacker to send + on the order of zettabytes of altered cells in a short interval), + but we'd rather block them off in case there are any classes of + this attack that we missed. Reported by Willem Pinckaers. + + o Minor features: + - Adjust the expiration time on our SSL session certificates to + better match SSL certs seen in the wild. Resolves ticket 4014. + - Change the default required uptime for a relay to be accepted as + a HSDir (hidden service directory) from 24 hours to 25 hours. + Improves on 0.2.0.10-alpha; resolves ticket 2649. + - Add a VoteOnHidServDirectoriesV2 config option to allow directory + authorities to abstain from voting on assignment of the HSDir + consensus flag. Related to bug 2649. + - Update to the September 6 2011 Maxmind GeoLite Country database. + + o Minor bugfixes (documentation and log messages): + - Correct the man page to explain that HashedControlPassword and + CookieAuthentication can both be set, in which case either method + is sufficient to authenticate to Tor. Bugfix on 0.2.0.7-alpha, + when we decided to allow these config options to both be set. Issue + raised by bug 3898. + - Demote the 'replay detected' log message emitted when a hidden + service receives the same Diffie-Hellman public key in two different + INTRODUCE2 cells to info level. A normal Tor client can cause that + log message during its normal operation. Bugfix on 0.2.1.6-alpha; + fixes part of bug 2442. + - Demote the 'INTRODUCE2 cell is too {old,new}' log message to info + level. There is nothing that a hidden service's operator can do + to fix its clients' clocks. Bugfix on 0.2.1.6-alpha; fixes part + of bug 2442. + - Clarify a log message specifying the characters permitted in + HiddenServiceAuthorizeClient client names. Previously, the log + message said that "[A-Za-z0-9+-_]" were permitted; that could have + given the impression that every ASCII character between "+" and "_" + was permitted. Now we say "[A-Za-z0-9+_-]". Bugfix on 0.2.1.5-alpha. + + o Build fixes: + - Provide a substitute implementation of lround() for MSVC, which + apparently lacks it. Patch from Gisle Vanem. + - Clean up some code issues that prevented Tor from building on older + BSDs. Fixes bug 3894; reported by "grarpamp". + - Search for a platform-specific version of "ar" when cross-compiling. + Should fix builds on iOS. Resolves bug 3909, found by Marco Bonetti. + + +Changes in version 0.2.2.32 - 2011-08-27 + The Tor 0.2.2 release series is dedicated to the memory of Andreas + Pfitzmann (1958-2010), a pioneer in anonymity and privacy research, + a founder of the PETS community, a leader in our field, a mentor, + and a friend. He left us with these words: "I had the possibility + to contribute to this world that is not as it should be. I hope I + could help in some areas to make the world a better place, and that + I could also encourage other people to be engaged in improving the + world. Please, stay engaged. This world needs you, your love, your + initiative -- now I cannot be part of that anymore." + + Tor 0.2.2.32, the first stable release in the 0.2.2 branch, is finally + ready. More than two years in the making, this release features improved + client performance and hidden service reliability, better compatibility + for Android, correct behavior for bridges that listen on more than + one address, more extensible and flexible directory object handling, + better reporting of network statistics, improved code security, and + many many other features and bugfixes. + + +Changes in version 0.2.2.31-rc - 2011-08-17 + Tor 0.2.2.31-rc is the second and hopefully final release candidate + for the Tor 0.2.2.x series. + + o Major bugfixes: + - Remove an extra pair of quotation marks around the error + message in control-port STATUS_GENERAL BUG events. Bugfix on + 0.1.2.6-alpha; fixes bug 3732. + - If we're configured to write our ControlPorts to disk, only write + them after switching UID and creating the data directory. This way, + we don't fail when starting up with a nonexistent DataDirectory + and a ControlPortWriteToFile setting based on that directory. Fixes + bug 3747; bugfix on Tor 0.2.2.26-beta. + + o Minor features: + - Update to the August 2 2011 Maxmind GeoLite Country database. + + o Minor bugfixes: + - Allow GETINFO fingerprint to return a fingerprint even when + we have not yet built a router descriptor. Fixes bug 3577; + bugfix on 0.2.0.1-alpha. + - Write several files in text mode, on OSes that distinguish text + mode from binary mode (namely, Windows). These files are: + 'buffer-stats', 'dirreq-stats', and 'entry-stats' on relays + that collect those statistics; 'client_keys' and 'hostname' for + hidden services that use authentication; and (in the tor-gencert + utility) newly generated identity and signing keys. Previously, + we wouldn't specify text mode or binary mode, leading to an + assertion failure. Fixes bug 3607. Bugfix on 0.2.1.1-alpha (when + the DirRecordUsageByCountry option which would have triggered + the assertion failure was added), although this assertion failure + would have occurred in tor-gencert on Windows in 0.2.0.1-alpha. + - Selectively disable deprecation warnings on OS X because Lion + started deprecating the shipped copy of openssl. Fixes bug 3643. + - When unable to format an address as a string, report its value + as "???" rather than reusing the last formatted address. Bugfix + on 0.2.1.5-alpha. + + +Changes in version 0.2.2.30-rc - 2011-07-07 + Tor 0.2.2.30-rc is the first release candidate for the Tor 0.2.2.x + series. It fixes a few smaller bugs, but generally appears stable. + Please test it and let us know whether it is! + + o Minor bugfixes: + - Send a SUCCEEDED stream event to the controller when a reverse + resolve succeeded. Fixes bug 3536; bugfix on 0.0.8pre1. Issue + discovered by katmagic. + - Always NUL-terminate the sun_path field of a sockaddr_un before + passing it to the kernel. (Not a security issue: kernels are + smart enough to reject bad sockaddr_uns.) Found by Coverity; + CID #428. Bugfix on Tor 0.2.0.3-alpha. + - Don't stack-allocate the list of supplementary GIDs when we're + about to log them. Stack-allocating NGROUPS_MAX gid_t elements + could take up to 256K, which is way too much stack. Found by + Coverity; CID #450. Bugfix on 0.2.1.7-alpha. + - Add BUILDTIMEOUT_SET to the list returned by the 'GETINFO + events/names' control-port command. Bugfix on 0.2.2.9-alpha; + fixes part of bug 3465. + - Fix a memory leak when receiving a descriptor for a hidden + service we didn't ask for. Found by Coverity; CID #30. Bugfix + on 0.2.2.26-beta. + + o Minor features: + - Update to the July 1 2011 Maxmind GeoLite Country database. + + +Changes in version 0.2.2.29-beta - 2011-06-20 + Tor 0.2.2.29-beta reverts an accidental behavior change for users who + have bridge lines in their torrc but don't want to use them; gets + us closer to having the control socket feature working on Debian; + and fixes a variety of smaller bugs. + + o Major bugfixes: + - Revert the UseBridges option to its behavior before 0.2.2.28-beta. + When we changed the default behavior to "use bridges if any + are listed in the torrc", we surprised users who had bridges + in their torrc files but who didn't actually want to use them. + Partial resolution for bug 3354. + + o Privacy fixes: + - Don't attach new streams to old rendezvous circuits after SIGNAL + NEWNYM. Previously, we would keep using an existing rendezvous + circuit if it remained open (i.e. if it were kept open by a + long-lived stream, or if a new stream were attached to it before + Tor could notice that it was old and no longer in use). Bugfix on + 0.1.1.15-rc; fixes bug 3375. + + o Minor bugfixes: + - Fix a bug when using ControlSocketsGroupWritable with User. The + directory's group would be checked against the current group, not + the configured group. Patch by Jérémy Bobbio. Fixes bug 3393; + bugfix on 0.2.2.26-beta. + - Make connection_printf_to_buf()'s behaviour sane. Its callers + expect it to emit a CRLF iff the format string ends with CRLF; + it actually emitted a CRLF iff (a) the format string ended with + CRLF or (b) the resulting string was over 1023 characters long or + (c) the format string did not end with CRLF *and* the resulting + string was 1021 characters long or longer. Bugfix on 0.1.1.9-alpha; + fixes part of bug 3407. + - Make send_control_event_impl()'s behaviour sane. Its callers + expect it to always emit a CRLF at the end of the string; it + might have emitted extra control characters as well. Bugfix on + 0.1.1.9-alpha; fixes another part of bug 3407. + - Make crypto_rand_int() check the value of its input correctly. + Previously, it accepted values up to UINT_MAX, but could return a + negative number if given a value above INT_MAX+1. Found by George + Kadianakis. Fixes bug 3306; bugfix on 0.2.2pre14. + - Avoid a segfault when reading a malformed circuit build state + with more than INT_MAX entries. Found by wanoskarnet. Bugfix on + 0.2.2.4-alpha. + - When asked about a DNS record type we don't support via a + client DNSPort, reply with NOTIMPL rather than an empty + reply. Patch by intrigeri. Fixes bug 3369; bugfix on 2.0.1-alpha. + - Fix a rare memory leak during stats writing. Found by coverity. + + o Minor features: + - Update to the June 1 2011 Maxmind GeoLite Country database. + + o Code simplifications and refactoring: + - Remove some dead code as indicated by coverity. + - Remove a few dead assignments during router parsing. Found by + coverity. + - Add some forgotten return value checks during unit tests. Found + by coverity. + - Don't use 1-bit wide signed bit fields. Found by coverity. + + +Changes in version 0.2.2.28-beta - 2011-06-04 + Tor 0.2.2.28-beta makes great progress towards a new stable release: we + fixed a big bug in whether relays stay in the consensus consistently, + we moved closer to handling bridges and hidden services correctly, + and we started the process of better handling the dreaded "my Vidalia + died, and now my Tor demands a password when I try to reconnect to it" + usability issue. + + o Major bugfixes: + - Don't decide to make a new descriptor when receiving a HUP signal. + This bug has caused a lot of 0.2.2.x relays to disappear from the + consensus periodically. Fixes the most common case of triggering + bug 1810; bugfix on 0.2.2.7-alpha. + - Actually allow nameservers with IPv6 addresses. Fixes bug 2574. + - Don't try to build descriptors if "ORPort auto" is set and we + don't know our actual ORPort yet. Fix for bug 3216; bugfix on + 0.2.2.26-beta. + - Resolve a crash that occurred when setting BridgeRelay to 1 with + accounting enabled. Fixes bug 3228; bugfix on 0.2.2.18-alpha. + - Apply circuit timeouts to opened hidden-service-related circuits + based on the correct start time. Previously, we would apply the + circuit build timeout based on time since the circuit's creation; + it was supposed to be applied based on time since the circuit + entered its current state. Bugfix on 0.0.6; fixes part of bug 1297. + - Use the same circuit timeout for client-side introduction + circuits as for other four-hop circuits, rather than the timeout + for single-hop directory-fetch circuits; the shorter timeout may + have been appropriate with the static circuit build timeout in + 0.2.1.x and earlier, but caused many hidden service access attempts + to fail with the adaptive CBT introduced in 0.2.2.2-alpha. Bugfix + on 0.2.2.2-alpha; fixes another part of bug 1297. + - In ticket 2511 we fixed a case where you could use an unconfigured + bridge if you had configured it as a bridge the last time you ran + Tor. Now fix another edge case: if you had configured it as a bridge + but then switched to a different bridge via the controller, you + would still be willing to use the old one. Bugfix on 0.2.0.1-alpha; + fixes bug 3321. + + o Major features: + - Add an __OwningControllerProcess configuration option and a + TAKEOWNERSHIP control-port command. Now a Tor controller can ensure + that when it exits, Tor will shut down. Implements feature 3049. + - If "UseBridges 1" is set and no bridges are configured, Tor will + now refuse to build any circuits until some bridges are set. + If "UseBridges auto" is set, Tor will use bridges if they are + configured and we are not running as a server, but otherwise will + make circuits as usual. The new default is "auto". Patch by anonym, + so the Tails LiveCD can stop automatically revealing you as a Tor + user on startup. + + o Minor bugfixes: + - Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option. + - Remove a trailing asterisk from "exit-policy/default" in the + output of the control port command "GETINFO info/names". Bugfix + on 0.1.2.5-alpha. + - Use a wide type to hold sockets when built for 64-bit Windows builds. + Fixes bug 3270. + - Warn when the user configures two HiddenServiceDir lines that point + to the same directory. Bugfix on 0.0.6 (the version introducing + HiddenServiceDir); fixes bug 3289. + - Remove dead code from rend_cache_lookup_v2_desc_as_dir. Fixes + part of bug 2748; bugfix on 0.2.0.10-alpha. + - Log malformed requests for rendezvous descriptors as protocol + warnings, not warnings. Also, use a more informative log message + in case someone sees it at log level warning without prior + info-level messages. Fixes the other part of bug 2748; bugfix + on 0.2.0.10-alpha. + - Clear the table recording the time of the last request for each + hidden service descriptor from each HS directory on SIGNAL NEWNYM. + Previously, we would clear our HS descriptor cache on SIGNAL + NEWNYM, but if we had previously retrieved a descriptor (or tried + to) from every directory responsible for it, we would refuse to + fetch it again for up to 15 minutes. Bugfix on 0.2.2.25-alpha; + fixes bug 3309. + - Fix a log message that said "bits" while displaying a value in + bytes. Found by wanoskarnet. Fixes bug 3318; bugfix on + 0.2.0.1-alpha. + - When checking for 1024-bit keys, check for 1024 bits, not 128 + bytes. This allows Tor to correctly discard keys of length 1017 + through 1023. Bugfix on 0.0.9pre5. + + o Minor features: + - Relays now log the reason for publishing a new relay descriptor, + so we have a better chance of hunting down instances of bug 1810. + Resolves ticket 3252. + - Revise most log messages that refer to nodes by nickname to + instead use the "$key=nickname at address" format. This should be + more useful, especially since nicknames are less and less likely + to be unique. Resolves ticket 3045. + - Log (at info level) when purging pieces of hidden-service-client + state because of SIGNAL NEWNYM. + + o Removed options: + - Remove undocumented option "-F" from tor-resolve: it hasn't done + anything since 0.2.1.16-rc. + + +Changes in version 0.2.2.27-beta - 2011-05-18 + Tor 0.2.2.27-beta fixes a bridge-related stability bug in the previous + release, and also adds a few more general bugfixes. + + o Major bugfixes: + - Fix a crash bug when changing bridges in a running Tor process. + Fixes bug 3213; bugfix on 0.2.2.26-beta. + - When the controller configures a new bridge, don't wait 10 to 60 + seconds before trying to fetch its descriptor. Bugfix on + 0.2.0.3-alpha; fixes bug 3198 (suggested by 2355). + + o Minor bugfixes: + - Require that onion keys have exponent 65537 in microdescriptors too. + Fixes more of bug 3207; bugfix on 0.2.2.26-beta. + - Tor used to limit HttpProxyAuthenticator values to 48 characters. + Changed the limit to 512 characters by removing base64 newlines. + Fixes bug 2752. Fix by Michael Yakubovich. + - When a client starts or stops using bridges, never use a circuit + that was built before the configuration change. This behavior could + put at risk a user who uses bridges to ensure that her traffic + only goes to the chosen addresses. Bugfix on 0.2.0.3-alpha; fixes + bug 3200. + + +Changes in version 0.2.2.26-beta - 2011-05-17 + Tor 0.2.2.26-beta fixes a variety of potential privacy problems. It + also introduces a new "socksport auto" approach that should make it + easier to run multiple Tors on the same system, and does a lot of + cleanup to get us closer to a release candidate. + + o Security/privacy fixes: + - Replace all potentially sensitive memory comparison operations + with versions whose runtime does not depend on the data being + compared. This will help resist a class of attacks where an + adversary can use variations in timing information to learn + sensitive data. Fix for one case of bug 3122. (Safe memcmp + implementation by Robert Ransom based partially on code by DJB.) + - When receiving a hidden service descriptor, check that it is for + the hidden service we wanted. Previously, Tor would store any + hidden service descriptors that a directory gave it, whether it + wanted them or not. This wouldn't have let an attacker impersonate + a hidden service, but it did let directories pre-seed a client + with descriptors that it didn't want. Bugfix on 0.0.6. + - On SIGHUP, do not clear out all TrackHostExits mappings, client + DNS cache entries, and virtual address mappings: that's what + NEWNYM is for. Fixes bug 1345; bugfix on 0.1.0.1-rc. + + o Major features: + - The options SocksPort, ControlPort, and so on now all accept a + value "auto" that opens a socket on an OS-selected port. A + new ControlPortWriteToFile option tells Tor to write its + actual control port or ports to a chosen file. If the option + ControlPortFileGroupReadable is set, the file is created as + group-readable. Now users can run two Tor clients on the same + system without needing to manually mess with parameters. Resolves + part of ticket 3076. + - Set SO_REUSEADDR on all sockets, not just listeners. This should + help busy exit nodes avoid running out of useable ports just + because all the ports have been used in the near past. Resolves + issue 2850. + + o Minor features: + - New "GETINFO net/listeners/(type)" controller command to return + a list of addresses and ports that are bound for listeners for a + given connection type. This is useful when the user has configured + "SocksPort auto" and the controller needs to know which port got + chosen. Resolves another part of ticket 3076. + - Add a new ControlSocketsGroupWritable configuration option: when + it is turned on, ControlSockets are group-writeable by the default + group of the current user. Patch by Jérémy Bobbio; implements + ticket 2972. + - Tor now refuses to create a ControlSocket in a directory that is + world-readable (or group-readable if ControlSocketsGroupWritable + is 0). This is necessary because some operating systems do not + enforce permissions on an AF_UNIX sockets. Permissions on the + directory holding the socket, however, seems to work everywhere. + - Rate-limit a warning about failures to download v2 networkstatus + documents. Resolves part of bug 1352. + - Backport code from 0.2.3.x that allows directory authorities to + clean their microdescriptor caches. Needed to resolve bug 2230. + - When an HTTPS proxy reports "403 Forbidden", we now explain + what it means rather than calling it an unexpected status code. + Closes bug 2503. Patch from Michael Yakubovich. + - Update to the May 1 2011 Maxmind GeoLite Country database. + + o Minor bugfixes: + - Authorities now clean their microdesc cache periodically and when + reading from disk initially, not only when adding new descriptors. + This prevents a bug where we could lose microdescriptors. Bugfix + on 0.2.2.6-alpha. 2230 + - Do not crash when our configuration file becomes unreadable, for + example due to a permissions change, between when we start up + and when a controller calls SAVECONF. Fixes bug 3135; bugfix + on 0.0.9pre6. + - Avoid a bug that would keep us from replacing a microdescriptor + cache on Windows. (We would try to replace the file while still + holding it open. That's fine on Unix, but Windows doesn't let us + do that.) Bugfix on 0.2.2.6-alpha; bug found by wanoskarnet. + - Add missing explanations for the authority-related torrc options + RephistTrackTime, BridgePassword, and V3AuthUseLegacyKey in the + man page. Resolves issue 2379. + - As an authority, do not upload our own vote or signature set to + ourself. It would tell us nothing new, and as of 0.2.2.24-alpha, + it would get flagged as a duplicate. Resolves bug 3026. + - Accept hidden service descriptors if we think we might be a hidden + service directory, regardless of what our consensus says. This + helps robustness, since clients and hidden services can sometimes + have a more up-to-date view of the network consensus than we do, + and if they think that the directory authorities list us a HSDir, + we might actually be one. Related to bug 2732; bugfix on + 0.2.0.10-alpha. + - When a controller changes TrackHostExits, remove mappings for + hosts that should no longer have their exits tracked. Bugfix on + 0.1.0.1-rc. + - When a controller changes VirtualAddrNetwork, remove any mappings + for hosts that were automapped to the old network. Bugfix on + 0.1.1.19-rc. + - When a controller changes one of the AutomapHosts* options, remove + any mappings for hosts that should no longer be automapped. Bugfix + on 0.2.0.1-alpha. + - Do not reset the bridge descriptor download status every time we + re-parse our configuration or get a configuration change. Fixes + bug 3019; bugfix on 0.2.0.3-alpha. + + o Minor bugfixes (code cleanup): + - When loading the microdesc journal, remember its current size. + In 0.2.2, this helps prevent the microdesc journal from growing + without limit on authorities (who are the only ones to use it in + 0.2.2). Fixes a part of bug 2230; bugfix on 0.2.2.6-alpha. + Fix posted by "cypherpunks." + - The microdesc journal is supposed to get rebuilt only if it is + at least _half_ the length of the store, not _twice_ the length + of the store. Bugfix on 0.2.2.6-alpha; fixes part of bug 2230. + - Fix a potential null-pointer dereference while computing a + consensus. Bugfix on tor-0.2.0.3-alpha, found with the help of + clang's analyzer. + - Avoid a possible null-pointer dereference when rebuilding the mdesc + cache without actually having any descriptors to cache. Bugfix on + 0.2.2.6-alpha. Issue discovered using clang's static analyzer. + - If we fail to compute the identity digest of a v3 legacy keypair, + warn, and don't use a buffer-full of junk instead. Bugfix on + 0.2.1.1-alpha; fixes bug 3106. + - Resolve an untriggerable issue in smartlist_string_num_isin(), + where if the function had ever in the future been used to check + for the presence of a too-large number, it would have given an + incorrect result. (Fortunately, we only used it for 16-bit + values.) Fixes bug 3175; bugfix on 0.1.0.1-rc. + - Require that introduction point keys and onion handshake keys + have a public exponent of 65537. Starts to fix bug 3207; bugfix + on 0.2.0.10-alpha. + + o Removed features: + - Caches no longer download and serve v2 networkstatus documents + unless FetchV2Networkstatus flag is set: these documents haven't + haven't been used by clients or relays since 0.2.0.x. Resolves + bug 3022. + + +Changes in version 0.2.2.25-alpha - 2011-04-29 + Tor 0.2.2.25-alpha fixes many bugs: hidden service clients are more + robust, routers no longer overreport their bandwidth, Win7 should crash + a little less, and NEWNYM (as used by Vidalia's "new identity" button) + now prevents hidden service-related activity from being linkable. It + provides more information to Vidalia so you can see if your bridge is + working. Also, 0.2.2.25-alpha revamps the Entry/Exit/ExcludeNodes and + StrictNodes configuration options to make them more reliable, more + understandable, and more regularly applied. If you use those options, + please see the revised documentation for them in the manual page. + + o Major bugfixes: + - Relays were publishing grossly inflated bandwidth values because + they were writing their state files wrong--now they write the + correct value. Also, resume reading bandwidth history from the + state file correctly. Fixes bug 2704; bugfix on 0.2.2.23-alpha. + - Improve hidden service robustness: When we find that we have + extended a hidden service's introduction circuit to a relay not + listed as an introduction point in the HS descriptor we currently + have, retry with an introduction point from the current + descriptor. Previously we would just give up. Fixes bugs 1024 and + 1930; bugfix on 0.2.0.10-alpha. + - Clients now stop trying to use an exit node associated with a given + destination by TrackHostExits if they fail to reach that exit node. + Fixes bug 2999. Bugfix on 0.2.0.20-rc. + - Fix crash bug on platforms where gmtime and localtime can return + NULL. Windows 7 users were running into this one. Fixes part of bug + 2077. Bugfix on all versions of Tor. Found by boboper. + + o Security and stability fixes: + - Don't double-free a parsable, but invalid, microdescriptor, even if + it is followed in the blob we're parsing by an unparsable + microdescriptor. Fixes an issue reported in a comment on bug 2954. + Bugfix on 0.2.2.6-alpha; fix by "cypherpunks". + - If the Nickname configuration option isn't given, Tor would pick a + nickname based on the local hostname as the nickname for a relay. + Because nicknames are not very important in today's Tor and the + "Unnamed" nickname has been implemented, this is now problematic + behavior: It leaks information about the hostname without being + useful at all. Fixes bug 2979; bugfix on 0.1.2.2-alpha, which + introduced the Unnamed nickname. Reported by tagnaq. + - Fix an uncommon assertion failure when running with DNSPort under + heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha. + - Avoid linkability based on cached hidden service descriptors: forget + all hidden service descriptors cached as a client when processing a + SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6. + + o Major features: + - Export GeoIP information on bridge usage to controllers even if we + have not yet been running for 24 hours. Now Vidalia bridge operators + can get more accurate and immediate feedback about their + contributions to the network. + + o Major features and bugfixes (node selection): + - Revise and reconcile the meaning of the ExitNodes, EntryNodes, + ExcludeEntryNodes, ExcludeExitNodes, ExcludeNodes, and StrictNodes + options. Previously, we had been ambiguous in describing what + counted as an "exit" node, and what operations exactly "StrictNodes + 0" would permit. This created confusion when people saw nodes built + through unexpected circuits, and made it hard to tell real bugs from + surprises. Now the intended behavior is: + . "Exit", in the context of ExitNodes and ExcludeExitNodes, means + a node that delivers user traffic outside the Tor network. + . "Entry", in the context of EntryNodes, means a node used as the + first hop of a multihop circuit. It doesn't include direct + connections to directory servers. + . "ExcludeNodes" applies to all nodes. + . "StrictNodes" changes the behavior of ExcludeNodes only. When + StrictNodes is set, Tor should avoid all nodes listed in + ExcludeNodes, even when it will make user requests fail. When + StrictNodes is *not* set, then Tor should follow ExcludeNodes + whenever it can, except when it must use an excluded node to + perform self-tests, connect to a hidden service, provide a + hidden service, fulfill a .exit request, upload directory + information, or fetch directory information. + Collectively, the changes to implement the behavior fix bug 1090. + - ExcludeNodes now takes precedence over EntryNodes and ExitNodes: if + a node is listed in both, it's treated as excluded. + - ExcludeNodes now applies to directory nodes -- as a preference if + StrictNodes is 0, or an absolute requirement if StrictNodes is 1. + Don't exclude all the directory authorities and set StrictNodes to 1 + unless you really want your Tor to break. + - ExcludeNodes and ExcludeExitNodes now override exit enclaving. + - ExcludeExitNodes now overrides .exit requests. + - We don't use bridges listed in ExcludeNodes. + - When StrictNodes is 1: + . We now apply ExcludeNodes to hidden service introduction points + and to rendezvous points selected by hidden service users. This + can make your hidden service less reliable: use it with caution! + . If we have used ExcludeNodes on ourself, do not try relay + reachability self-tests. + . If we have excluded all the directory authorities, we will not + even try to upload our descriptor if we're a relay. + . Do not honor .exit requests to an excluded node. + - Remove a misfeature that caused us to ignore the Fast/Stable flags + when ExitNodes is set. Bugfix on 0.2.2.7-alpha. + - When the set of permitted nodes changes, we now remove any mappings + introduced via TrackExitHosts to now-excluded nodes. Bugfix on + 0.1.0.1-rc. + - We never cannibalize a circuit that had excluded nodes on it, even + if StrictNodes is 0. Bugfix on 0.1.0.1-rc. + - Revert a change where we would be laxer about attaching streams to + circuits than when building the circuits. This was meant to prevent + a set of bugs where streams were never attachable, but our improved + code here should make this unnecessary. Bugfix on 0.2.2.7-alpha. + - Keep track of how many times we launch a new circuit to handle a + given stream. Too many launches could indicate an inconsistency + between our "launch a circuit to handle this stream" logic and our + "attach this stream to one of the available circuits" logic. + - Improve log messages related to excluded nodes. + + o Minor bugfixes: + - Fix a spurious warning when moving from a short month to a long + month on relays with month-based BandwidthAccounting. Bugfix on + 0.2.2.17-alpha; fixes bug 3020. + - When a client finds that an origin circuit has run out of 16-bit + stream IDs, we now mark it as unusable for new streams. Previously, + we would try to close the entire circuit. Bugfix on 0.0.6. + - Add a forgotten cast that caused a compile warning on OS X 10.6. + Bugfix on 0.2.2.24-alpha. + - Be more careful about reporting the correct error from a failed + connect() system call. Under some circumstances, it was possible to + look at an incorrect value for errno when sending the end reason. + Bugfix on 0.1.0.1-rc. + - Correctly handle an "impossible" overflow cases in connection byte + counting, where we write or read more than 4GB on an edge connection + in a single second. Bugfix on 0.1.2.8-beta. + - Correct the warning displayed when a rendezvous descriptor exceeds + the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by + John Brooks. + - Clients and hidden services now use HSDir-flagged relays for hidden + service descriptor downloads and uploads even if the relays have no + DirPort set and the client has disabled TunnelDirConns. This will + eventually allow us to give the HSDir flag to relays with no + DirPort. Fixes bug 2722; bugfix on 0.2.1.6-alpha. + - Downgrade "no current certificates known for authority" message from + Notice to Info. Fixes bug 2899; bugfix on 0.2.0.10-alpha. + - Make the SIGNAL DUMP control-port command work on FreeBSD. Fixes bug + 2917. Bugfix on 0.1.1.1-alpha. + - Only limit the lengths of single HS descriptors, even when multiple + HS descriptors are published to an HSDir relay in a single POST + operation. Fixes bug 2948; bugfix on 0.2.1.5-alpha. Found by hsdir. + - Write the current time into the LastWritten line in our state file, + rather than the time from the previous write attempt. Also, stop + trying to use a time of -1 in our log statements. Fixes bug 3039; + bugfix on 0.2.2.14-alpha. + - Be more consistent in our treatment of file system paths. "~" should + get expanded to the user's home directory in the Log config option. + Fixes bug 2971; bugfix on 0.2.0.1-alpha, which introduced the + feature for the -f and --DataDirectory options. + + o Minor features: + - Make sure every relay writes a state file at least every 12 hours. + Previously, a relay could go for weeks without writing its state + file, and on a crash could lose its bandwidth history, capacity + estimates, client country statistics, and so on. Addresses bug 3012. + - Send END_STREAM_REASON_NOROUTE in response to EHOSTUNREACH errors. + Clients before 0.2.1.27 didn't handle NOROUTE correctly, but such + clients are already deprecated because of security bugs. + - Don't allow v0 hidden service authorities to act as clients. + Required by fix for bug 3000. + - Ignore SIGNAL NEWNYM commands on relay-only Tor instances. Required + by fix for bug 3000. + - Ensure that no empty [dirreq-](read|write)-history lines are added + to an extrainfo document. Implements ticket 2497. + + o Code simplification and refactoring: + - Remove workaround code to handle directory responses from servers + that had bug 539 (they would send HTTP status 503 responses _and_ + send a body too). Since only server versions before + 0.2.0.16-alpha/0.1.2.19 were affected, there is no longer reason to + keep the workaround in place. + - Remove the old 'fuzzy time' logic. It was supposed to be used for + handling calculations where we have a known amount of clock skew and + an allowed amount of unknown skew. But we only used it in three + places, and we never adjusted the known/unknown skew values. This is + still something we might want to do someday, but if we do, we'll + want to do it differently. + - Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned. + None of the cases where we did this before were wrong, but by making + this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28. + - Use GetTempDir to find the proper temporary directory location on + Windows when generating temporary files for the unit tests. Patch by + Gisle Vanem. + + +Changes in version 0.2.2.24-alpha - 2011-04-08 + Tor 0.2.2.24-alpha fixes a variety of bugs, including a big bug that + prevented Tor clients from effectively using "multihomed" bridges, + that is, bridges that listen on multiple ports or IP addresses so users + can continue to use some of their addresses even if others get blocked. + + o Major bugfixes: + - Fix a bug where bridge users who configure the non-canonical + address of a bridge automatically switch to its canonical + address. If a bridge listens at more than one address, it should be + able to advertise those addresses independently and any non-blocked + addresses should continue to work. Bugfix on Tor 0.2.0.x. Fixes + bug 2510. + - If you configured Tor to use bridge A, and then quit and + configured Tor to use bridge B instead, it would happily continue + to use bridge A if it's still reachable. While this behavior is + a feature if your goal is connectivity, in some scenarios it's a + dangerous bug. Bugfix on Tor 0.2.0.1-alpha; fixes bug 2511. + - Directory authorities now use data collected from their own + uptime observations when choosing whether to assign the HSDir flag + to relays, instead of trusting the uptime value the relay reports in + its descriptor. This change helps prevent an attack where a small + set of nodes with frequently-changing identity keys can blackhole + a hidden service. (Only authorities need upgrade; others will be + fine once they do.) Bugfix on 0.2.0.10-alpha; fixes bug 2709. + + o Minor bugfixes: + - When we restart our relay, we might get a successful connection + from the outside before we've started our reachability tests, + triggering a warning: "ORPort found reachable, but I have no + routerinfo yet. Failing to inform controller of success." This + bug was harmless unless Tor is running under a controller + like Vidalia, in which case the controller would never get a + REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha; + fixes bug 1172. + - Make directory authorities more accurate at recording when + relays that have failed several reachability tests became + unreachable, so we can provide more accuracy at assigning Stable, + Guard, HSDir, etc flags. Bugfix on 0.2.0.6-alpha. Resolves bug 2716. + - Fix an issue that prevented static linking of libevent on + some platforms (notably Linux). Fixes bug 2698; bugfix on + versions 0.2.1.23/0.2.2.8-alpha (the versions introducing + the --with-static-libevent configure option). + - We now ask the other side of a stream (the client or the exit) + for more data on that stream when the amount of queued data on + that stream dips low enough. Previously, we wouldn't ask the + other side for more data until either it sent us more data (which + it wasn't supposed to do if it had exhausted its window!) or we + had completely flushed all our queued data. This flow control fix + should improve throughput. Fixes bug 2756; bugfix on the earliest + released versions of Tor (svn commit r152). + - Avoid a double-mark-for-free warning when failing to attach a + transparent proxy connection. (We thought we had fixed this in + 0.2.2.23-alpha, but it turns out our fix was checking the wrong + connection.) Fixes bug 2757; bugfix on 0.1.2.1-alpha (the original + bug) and 0.2.2.23-alpha (the incorrect fix). + - When warning about missing zlib development packages during compile, + give the correct package names. Bugfix on 0.2.0.1-alpha. + + o Minor features: + - Directory authorities now log the source of a rejected POSTed v3 + networkstatus vote. + - Make compilation with clang possible when using + --enable-gcc-warnings by removing two warning options that clang + hasn't implemented yet and by fixing a few warnings. Implements + ticket 2696. + - When expiring circuits, use microsecond timers rather than + one-second timers. This can avoid an unpleasant situation where a + circuit is launched near the end of one second and expired right + near the beginning of the next, and prevent fluctuations in circuit + timeout values. + - Use computed circuit-build timeouts to decide when to launch + parallel introduction circuits for hidden services. (Previously, + we would retry after 15 seconds.) + - Update to the April 1 2011 Maxmind GeoLite Country database. + + o Packaging fixes: + - Create the /var/run/tor directory on startup on OpenSUSE if it is + not already created. Patch from Andreas Stieger. Fixes bug 2573. + + o Documentation changes: + - Modernize the doxygen configuration file slightly. Fixes bug 2707. + - Resolve all doxygen warnings except those for missing documentation. + Fixes bug 2705. + - Add doxygen documentation for more functions, fields, and types. + + +Changes in version 0.2.2.23-alpha - 2011-03-08 + Tor 0.2.2.23-alpha lets relays record their bandwidth history so when + they restart they don't lose their bandwidth capacity estimate. This + release also fixes a diverse set of user-facing bugs, ranging from + relays overrunning their rate limiting to clients falsely warning about + clock skew to bridge descriptor leaks by our bridge directory authority. + + o Major bugfixes: + - Stop sending a CLOCK_SKEW controller status event whenever + we fetch directory information from a relay that has a wrong clock. + Instead, only inform the controller when it's a trusted authority + that claims our clock is wrong. Bugfix on 0.1.2.6-alpha; fixes + the rest of bug 1074. + - Fix an assert in parsing router descriptors containing IPv6 + addresses. This one took down the directory authorities when + somebody tried some experimental code. Bugfix on 0.2.1.3-alpha. + - Make the bridge directory authority refuse to answer directory + requests for "all" descriptors. It used to include bridge + descriptors in its answer, which was a major information leak. + Found by "piebeer". Bugfix on 0.2.0.3-alpha. + - If relays set RelayBandwidthBurst but not RelayBandwidthRate, + Tor would ignore their RelayBandwidthBurst setting, + potentially using more bandwidth than expected. Bugfix on + 0.2.0.1-alpha. Reported by Paul Wouters. Fixes bug 2470. + - Ignore and warn if the user mistakenly sets "PublishServerDescriptor + hidserv" in her torrc. The 'hidserv' argument never controlled + publication of hidden service descriptors. Bugfix on 0.2.0.1-alpha. + + o Major features: + - Relays now save observed peak bandwidth throughput rates to their + state file (along with total usage, which was already saved) + so that they can determine their correct estimated bandwidth on + restart. Resolves bug 1863, where Tor relays would reset their + estimated bandwidth to 0 after restarting. + - Directory authorities now take changes in router IP address and + ORPort into account when determining router stability. Previously, + if a router changed its IP or ORPort, the authorities would not + treat it as having any downtime for the purposes of stability + calculation, whereas clients would experience downtime since the + change could take a while to propagate to them. Resolves issue 1035. + - Enable Address Space Layout Randomization (ASLR) and Data Execution + Prevention (DEP) by default on Windows to make it harder for + attackers to exploit vulnerabilities. Patch from John Brooks. + + o Minor bugfixes (on 0.2.1.x and earlier): + - Fix a rare crash bug that could occur when a client was configured + with a large number of bridges. Fixes bug 2629; bugfix on + 0.2.1.2-alpha. Bugfix by trac user "shitlei". + - Avoid a double mark-for-free warning when failing to attach a + transparent proxy connection. Bugfix on 0.1.2.1-alpha. Fixes + bug 2279. + - Correctly detect failure to allocate an OpenSSL BIO. Fixes bug 2378; + found by "cypherpunks". This bug was introduced before the first + Tor release, in svn commit r110. + - Country codes aren't supported in EntryNodes until 0.2.3.x, so + don't mention them in the manpage. Fixes bug 2450; issue + spotted by keb and G-Lo. + - Fix a bug in bandwidth history state parsing that could have been + triggered if a future version of Tor ever changed the timing + granularity at which bandwidth history is measured. Bugfix on + Tor 0.1.1.11-alpha. + - When a relay decides that its DNS is too broken for it to serve + as an exit server, it advertised itself as a non-exit, but + continued to act as an exit. This could create accidental + partitioning opportunities for users. Instead, if a relay is + going to advertise reject *:* as its exit policy, it should + really act with exit policy "reject *:*". Fixes bug 2366. + Bugfix on Tor 0.1.2.5-alpha. Bugfix by user "postman" on trac. + - In the special case where you configure a public exit relay as your + bridge, Tor would be willing to use that exit relay as the last + hop in your circuit as well. Now we fail that circuit instead. + Bugfix on 0.2.0.12-alpha. Fixes bug 2403. Reported by "piebeer". + - Fix a bug with our locking implementation on Windows that couldn't + correctly detect when a file was already locked. Fixes bug 2504, + bugfix on 0.2.1.6-alpha. + - Fix IPv6-related connect() failures on some platforms (BSD, OS X). + Bugfix on 0.2.0.3-alpha; fixes first part of bug 2660. Patch by + "piebeer". + - Set target port in get_interface_address6() correctly. Bugfix + on 0.1.1.4-alpha and 0.2.0.3-alpha; fixes second part of bug 2660. + - Directory authorities are now more robust to hops back in time + when calculating router stability. Previously, if a run of uptime + or downtime appeared to be negative, the calculation could give + incorrect results. Bugfix on 0.2.0.6-alpha; noticed when fixing + bug 1035. + - Fix an assert that got triggered when using the TestingTorNetwork + configuration option and then issuing a GETINFO config-text control + command. Fixes bug 2250; bugfix on 0.2.1.2-alpha. + + o Minor bugfixes (on 0.2.2.x): + - Clients should not weight BadExit nodes as Exits in their node + selection. Similarly, directory authorities should not count BadExit + bandwidth as Exit bandwidth when computing bandwidth-weights. + Bugfix on 0.2.2.10-alpha; fixes bug 2203. + - Correctly clear our dir_read/dir_write history when there is an + error parsing any bw history value from the state file. Bugfix on + Tor 0.2.2.15-alpha. + - Resolve a bug in verifying signatures of directory objects + with digests longer than SHA1. Bugfix on 0.2.2.20-alpha. + Fixes bug 2409. Found by "piebeer". + - Bridge authorities no longer crash on SIGHUP when they try to + publish their relay descriptor to themselves. Fixes bug 2572. Bugfix + on 0.2.2.22-alpha. + + o Minor features: + - Log less aggressively about circuit timeout changes, and improve + some other circuit timeout messages. Resolves bug 2004. + - Log a little more clearly about the times at which we're no longer + accepting new connections. Resolves bug 2181. + - Reject attempts at the client side to open connections to private + IP addresses (like 127.0.0.1, 10.0.0.1, and so on) with + a randomly chosen exit node. Attempts to do so are always + ill-defined, generally prevented by exit policies, and usually + in error. This will also help to detect loops in transparent + proxy configurations. You can disable this feature by setting + "ClientRejectInternalAddresses 0" in your torrc. + - Always treat failure to allocate an RSA key as an unrecoverable + allocation error. + - Update to the March 1 2011 Maxmind GeoLite Country database. + + o Minor features (log subsystem): + - Add documentation for configuring logging at different severities in + different log domains. We've had this feature since 0.2.1.1-alpha, + but for some reason it never made it into the manpage. Fixes + bug 2215. + - Make it simpler to specify "All log domains except for A and B". + Previously you needed to say "[*,~A,~B]". Now you can just say + "[~A,~B]". + - Add a "LogMessageDomains 1" option to include the domains of log + messages along with the messages. Without this, there's no way + to use log domains without reading the source or doing a lot + of guessing. + + o Packaging changes: + - Stop shipping the Tor specs files and development proposal documents + in the tarball. They are now in a separate git repository at + git://git.torproject.org/torspec.git + + +Changes in version 0.2.1.30 - 2011-02-23 + Tor 0.2.1.30 fixes a variety of less critical bugs. The main other + change is a slight tweak to Tor's TLS handshake that makes relays + and bridges that run this new version reachable from Iran again. + We don't expect this tweak will win the arms race long-term, but it + buys us time until we roll out a better solution. + + o Major bugfixes: + - Stop sending a CLOCK_SKEW controller status event whenever + we fetch directory information from a relay that has a wrong clock. + Instead, only inform the controller when it's a trusted authority + that claims our clock is wrong. Bugfix on 0.1.2.6-alpha; fixes + the rest of bug 1074. + - Fix a bounds-checking error that could allow an attacker to + remotely crash a directory authority. Bugfix on 0.2.1.5-alpha. + Found by "piebeer". + - If relays set RelayBandwidthBurst but not RelayBandwidthRate, + Tor would ignore their RelayBandwidthBurst setting, + potentially using more bandwidth than expected. Bugfix on + 0.2.0.1-alpha. Reported by Paul Wouters. Fixes bug 2470. + - Ignore and warn if the user mistakenly sets "PublishServerDescriptor + hidserv" in her torrc. The 'hidserv' argument never controlled + publication of hidden service descriptors. Bugfix on 0.2.0.1-alpha. + + o Minor features: + - Adjust our TLS Diffie-Hellman parameters to match those used by + Apache's mod_ssl. + - Update to the February 1 2011 Maxmind GeoLite Country database. + + o Minor bugfixes: + - Check for and reject overly long directory certificates and + directory tokens before they have a chance to hit any assertions. + Bugfix on 0.2.1.28. Found by "doorss". + - Bring the logic that gathers routerinfos and assesses the + acceptability of circuits into line. This prevents a Tor OP from + getting locked in a cycle of choosing its local OR as an exit for a + path (due to a .exit request) and then rejecting the circuit because + its OR is not listed yet. It also prevents Tor clients from using an + OR running in the same instance as an exit (due to a .exit request) + if the OR does not meet the same requirements expected of an OR + running elsewhere. Fixes bug 1859; bugfix on 0.1.0.1-rc. + + o Packaging changes: + - Stop shipping the Tor specs files and development proposal documents + in the tarball. They are now in a separate git repository at + git://git.torproject.org/torspec.git + - Do not include Git version tags as though they are SVN tags when + generating a tarball from inside a repository that has switched + between branches. Bugfix on 0.2.1.15-rc; fixes bug 2402. + + +Changes in version 0.2.2.22-alpha - 2011-01-25 + Tor 0.2.2.22-alpha fixes a few more less-critical security issues. The + main other change is a slight tweak to Tor's TLS handshake that makes + relays and bridges that run this new version reachable from Iran again. + We don't expect this tweak will win the arms race long-term, but it + will buy us a bit more time until we roll out a better solution. + + o Major bugfixes: + - Fix a bounds-checking error that could allow an attacker to + remotely crash a directory authority. Bugfix on 0.2.1.5-alpha. + Found by "piebeer". + - Don't assert when changing from bridge to relay or vice versa + via the controller. The assert happened because we didn't properly + initialize our keys in this case. Bugfix on 0.2.2.18-alpha; fixes + bug 2433. Reported by bastik. + + o Minor features: + - Adjust our TLS Diffie-Hellman parameters to match those used by + Apache's mod_ssl. + - Provide a log message stating which geoip file we're parsing + instead of just stating that we're parsing the geoip file. + Implements ticket 2432. + + o Minor bugfixes: + - Check for and reject overly long directory certificates and + directory tokens before they have a chance to hit any assertions. + Bugfix on 0.2.1.28 / 0.2.2.20-alpha. Found by "doorss". + + +Changes in version 0.2.2.21-alpha - 2011-01-15 + Tor 0.2.2.21-alpha includes all the patches from Tor 0.2.1.29, which + continues our recent code security audit work. The main fix resolves + a remote heap overflow vulnerability that can allow remote code + execution (CVE-2011-0427). Other fixes address a variety of assert + and crash bugs, most of which we think are hard to exploit remotely. + + o Major bugfixes (security), also included in 0.2.1.29: + - Fix a heap overflow bug where an adversary could cause heap + corruption. This bug probably allows remote code execution + attacks. Reported by "debuger". Fixes CVE-2011-0427. Bugfix on + 0.1.2.10-rc. + - Prevent a denial-of-service attack by disallowing any + zlib-compressed data whose compression factor is implausibly + high. Fixes part of bug 2324; reported by "doorss". + - Zero out a few more keys in memory before freeing them. Fixes + bug 2384 and part of bug 2385. These key instances found by + "cypherpunks", based on Andrew Case's report about being able + to find sensitive data in Tor's memory space if you have enough + permissions. Bugfix on 0.0.2pre9. + + o Major bugfixes (crashes), also included in 0.2.1.29: + - Prevent calls to Libevent from inside Libevent log handlers. + This had potential to cause a nasty set of crashes, especially + if running Libevent with debug logging enabled, and running + Tor with a controller watching for low-severity log messages. + Bugfix on 0.1.0.2-rc. Fixes bug 2190. + - Add a check for SIZE_T_MAX to tor_realloc() to try to avoid + underflow errors there too. Fixes the other part of bug 2324. + - Fix a bug where we would assert if we ever had a + cached-descriptors.new file (or another file read directly into + memory) of exactly SIZE_T_CEILING bytes. Fixes bug 2326; bugfix + on 0.2.1.25. Found by doorss. + - Fix some potential asserts and parsing issues with grossly + malformed router caches. Fixes bug 2352; bugfix on Tor 0.2.1.27. + Found by doorss. + + o Minor bugfixes (other), also included in 0.2.1.29: + - Fix a bug with handling misformed replies to reverse DNS lookup + requests in DNSPort. Bugfix on Tor 0.2.0.1-alpha. Related to a + bug reported by doorss. + - Fix compilation on mingw when a pthreads compatibility library + has been installed. (We don't want to use it, so we shouldn't + be including pthread.h.) Fixes bug 2313; bugfix on 0.1.0.1-rc. + - Fix a bug where we would declare that we had run out of virtual + addresses when the address space was only half-exhausted. Bugfix + on 0.1.2.1-alpha. + - Correctly handle the case where AutomapHostsOnResolve is set but + no virtual addresses are available. Fixes bug 2328; bugfix on + 0.1.2.1-alpha. Bug found by doorss. + - Correctly handle wrapping around when we run out of virtual + address space. Found by cypherpunks; bugfix on 0.2.0.5-alpha. + + o Minor features, also included in 0.2.1.29: + - Update to the January 1 2011 Maxmind GeoLite Country database. + - Introduce output size checks on all of our decryption functions. + + o Build changes, also included in 0.2.1.29: + - Tor does not build packages correctly with Automake 1.6 and earlier; + added a check to Makefile.am to make sure that we're building with + Automake 1.7 or later. + - The 0.2.1.28 tarball was missing src/common/OpenBSD_malloc_Linux.c + because we built it with a too-old version of automake. Thus that + release broke ./configure --enable-openbsd-malloc, which is popular + among really fast exit relays on Linux. + + o Major bugfixes, new in 0.2.2.21-alpha: + - Prevent crash/heap corruption when the cbtnummodes consensus + parameter is set to 0 or large values. Fixes bug 2317; bugfix + on 0.2.2.14-alpha. + + o Major features, new in 0.2.2.21-alpha: + - Introduce minimum/maximum values that clients will believe + from the consensus. Now we'll have a better chance to avoid crashes + or worse when a consensus param has a weird value. + + o Minor features, new in 0.2.2.21-alpha: + - Make sure to disable DirPort if running as a bridge. DirPorts aren't + used on bridges, and it makes bridge scanning somewhat easier. + - If writing the state file to disk fails, wait up to an hour before + retrying again, rather than trying again each second. Fixes bug + 2346; bugfix on Tor 0.1.1.3-alpha. + - Make Libevent log messages get delivered to controllers later, + and not from inside the Libevent log handler. This prevents unsafe + reentrant Libevent calls while still letting the log messages + get through. + - Detect platforms that brokenly use a signed size_t, and refuse to + build there. Found and analyzed by doorss and rransom. + - Fix a bunch of compile warnings revealed by mingw with gcc 4.5. + Resolves bug 2314. + + o Minor bugfixes, new in 0.2.2.21-alpha: + - Handle SOCKS messages longer than 128 bytes long correctly, rather + than waiting forever for them to finish. Fixes bug 2330; bugfix + on 0.2.0.16-alpha. Found by doorss. + - Add assertions to check for overflow in arguments to + base32_encode() and base32_decode(); fix a signed-unsigned + comparison there too. These bugs are not actually reachable in Tor, + but it's good to prevent future errors too. Found by doorss. + - Correctly detect failures to create DNS requests when using Libevent + versions before v2. (Before Libevent 2, we used our own evdns + implementation. Its return values for Libevent's evdns_resolve_*() + functions are not consistent with those from Libevent.) Fixes bug + 2363; bugfix on 0.2.2.6-alpha. Found by "lodger". + + o Documentation, new in 0.2.2.21-alpha: + - Document the default socks host and port (127.0.0.1:9050) for + tor-resolve. + + +Changes in version 0.2.1.29 - 2011-01-15 + Tor 0.2.1.29 continues our recent code security audit work. The main + fix resolves a remote heap overflow vulnerability that can allow remote + code execution. Other fixes address a variety of assert and crash bugs, + most of which we think are hard to exploit remotely. + + o Major bugfixes (security): + - Fix a heap overflow bug where an adversary could cause heap + corruption. This bug probably allows remote code execution + attacks. Reported by "debuger". Fixes CVE-2011-0427. Bugfix on + 0.1.2.10-rc. + - Prevent a denial-of-service attack by disallowing any + zlib-compressed data whose compression factor is implausibly + high. Fixes part of bug 2324; reported by "doorss". + - Zero out a few more keys in memory before freeing them. Fixes + bug 2384 and part of bug 2385. These key instances found by + "cypherpunks", based on Andrew Case's report about being able + to find sensitive data in Tor's memory space if you have enough + permissions. Bugfix on 0.0.2pre9. + + o Major bugfixes (crashes): + - Prevent calls to Libevent from inside Libevent log handlers. + This had potential to cause a nasty set of crashes, especially + if running Libevent with debug logging enabled, and running + Tor with a controller watching for low-severity log messages. + Bugfix on 0.1.0.2-rc. Fixes bug 2190. + - Add a check for SIZE_T_MAX to tor_realloc() to try to avoid + underflow errors there too. Fixes the other part of bug 2324. + - Fix a bug where we would assert if we ever had a + cached-descriptors.new file (or another file read directly into + memory) of exactly SIZE_T_CEILING bytes. Fixes bug 2326; bugfix + on 0.2.1.25. Found by doorss. + - Fix some potential asserts and parsing issues with grossly + malformed router caches. Fixes bug 2352; bugfix on Tor 0.2.1.27. + Found by doorss. + + o Minor bugfixes (other): + - Fix a bug with handling misformed replies to reverse DNS lookup + requests in DNSPort. Bugfix on Tor 0.2.0.1-alpha. Related to a + bug reported by doorss. + - Fix compilation on mingw when a pthreads compatibility library + has been installed. (We don't want to use it, so we shouldn't + be including pthread.h.) Fixes bug 2313; bugfix on 0.1.0.1-rc. + - Fix a bug where we would declare that we had run out of virtual + addresses when the address space was only half-exhausted. Bugfix + on 0.1.2.1-alpha. + - Correctly handle the case where AutomapHostsOnResolve is set but + no virtual addresses are available. Fixes bug 2328; bugfix on + 0.1.2.1-alpha. Bug found by doorss. + - Correctly handle wrapping around to when we run out of virtual + address space. Found by cypherpunks, bugfix on 0.2.0.5-alpha. + - The 0.2.1.28 tarball was missing src/common/OpenBSD_malloc_Linux.c + because we built it with a too-old version of automake. Thus that + release broke ./configure --enable-openbsd-malloc, which is popular + among really fast exit relays on Linux. + + o Minor features: + - Update to the January 1 2011 Maxmind GeoLite Country database. + - Introduce output size checks on all of our decryption functions. + + o Build changes: + - Tor does not build packages correctly with Automake 1.6 and earlier; + added a check to Makefile.am to make sure that we're building with + Automake 1.7 or later. + + +Changes in version 0.2.2.20-alpha - 2010-12-17 + Tor 0.2.2.20-alpha does some code cleanup to reduce the risk of remotely + exploitable bugs. We also fix a variety of other significant bugs, + change the IP address for one of our directory authorities, and update + the minimum version that Tor relays must run to join the network. + + o Major bugfixes: + - Fix a remotely exploitable bug that could be used to crash instances + of Tor remotely by overflowing on the heap. Remote-code execution + hasn't been confirmed, but can't be ruled out. Everyone should + upgrade. Bugfix on the 0.1.1 series and later. + - Fix a bug that could break accounting on 64-bit systems with large + time_t values, making them hibernate for impossibly long intervals. + Fixes bug 2146. Bugfix on 0.0.9pre6; fix by boboper. + - Fix a logic error in directory_fetches_from_authorities() that + would cause all _non_-exits refusing single-hop-like circuits + to fetch from authorities, when we wanted to have _exits_ fetch + from authorities. Fixes more of 2097. Bugfix on 0.2.2.16-alpha; + fix by boboper. + - Fix a stream fairness bug that would cause newer streams on a given + circuit to get preference when reading bytes from the origin or + destination. Fixes bug 2210. Fix by Mashael AlSabah. This bug was + introduced before the first Tor release, in svn revision r152. + + o Directory authority changes: + - Change IP address and ports for gabelmoo (v3 directory authority). + + o Minor bugfixes: + - Avoid crashes when AccountingMax is set on clients. Fixes bug 2235. + Bugfix on 0.2.2.18-alpha. Diagnosed by boboper. + - Fix an off-by-one error in calculating some controller command + argument lengths. Fortunately, this mistake is harmless since + the controller code does redundant NUL termination too. Found by + boboper. Bugfix on 0.1.1.1-alpha. + - Do not dereference NULL if a bridge fails to build its + extra-info descriptor. Found by an anonymous commenter on + Trac. Bugfix on 0.2.2.19-alpha. + + o Minor features: + - Update to the December 1 2010 Maxmind GeoLite Country database. + - Directory authorities now reject relays running any versions of + Tor between 0.2.1.3-alpha and 0.2.1.18 inclusive; they have + known bugs that keep RELAY_EARLY cells from working on rendezvous + circuits. Followup to fix for bug 2081. + - Directory authorities now reject relays running any version of Tor + older than 0.2.0.26-rc. That version is the earliest that fetches + current directory information correctly. Fixes bug 2156. + - Report only the top 10 ports in exit-port stats in order not to + exceed the maximum extra-info descriptor length of 50 KB. Implements + task 2196. + + +Changes in version 0.2.1.28 - 2010-12-17 + Tor 0.2.1.28 does some code cleanup to reduce the risk of remotely + exploitable bugs. We also took this opportunity to change the IP address + for one of our directory authorities, and to update the geoip database + we ship. + + o Major bugfixes: + - Fix a remotely exploitable bug that could be used to crash instances + of Tor remotely by overflowing on the heap. Remote-code execution + hasn't been confirmed, but can't be ruled out. Everyone should + upgrade. Bugfix on the 0.1.1 series and later. + + o Directory authority changes: + - Change IP address and ports for gabelmoo (v3 directory authority). + + o Minor features: + - Update to the December 1 2010 Maxmind GeoLite Country database. + + +Changes in version 0.2.1.27 - 2010-11-23 + Yet another OpenSSL security patch broke its compatibility with Tor: + Tor 0.2.1.27 makes relays work with openssl 0.9.8p and 1.0.0.b. We + also took this opportunity to fix several crash bugs, integrate a new + directory authority, and update the bundled GeoIP database. + + o Major bugfixes: + - Resolve an incompatibility with OpenSSL 0.9.8p and OpenSSL 1.0.0b: + No longer set the tlsext_host_name extension on server SSL objects; + but continue to set it on client SSL objects. Our goal in setting + it was to imitate a browser, not a vhosting server. Fixes bug 2204; + bugfix on 0.2.1.1-alpha. + - Do not log messages to the controller while shrinking buffer + freelists. Doing so would sometimes make the controller connection + try to allocate a buffer chunk, which would mess up the internals + of the freelist and cause an assertion failure. Fixes bug 1125; + fixed by Robert Ransom. Bugfix on 0.2.0.16-alpha. + - Learn our external IP address when we're a relay or bridge, even if + we set PublishServerDescriptor to 0. Bugfix on 0.2.0.3-alpha, + where we introduced bridge relays that don't need to publish to + be useful. Fixes bug 2050. + - Do even more to reject (and not just ignore) annotations on + router descriptors received anywhere but from the cache. Previously + we would ignore such annotations at first, but cache them to disk + anyway. Bugfix on 0.2.0.8-alpha. Found by piebeer. + - When you're using bridges and your network goes away and your + bridges get marked as down, recover when you attempt a new socks + connection (if the network is back), rather than waiting up to an + hour to try fetching new descriptors for your bridges. Bugfix on + 0.2.0.3-alpha; fixes bug 1981. + + o Major features: + - Move to the November 2010 Maxmind GeoLite country db (rather + than the June 2009 ip-to-country GeoIP db) for our statistics that + count how many users relays are seeing from each country. Now we'll + have more accurate data, especially for many African countries. + + o New directory authorities: + - Set up maatuska (run by Linus Nordberg) as the eighth v3 directory + authority. + + o Minor bugfixes: + - Fix an assertion failure that could occur in directory caches or + bridge users when using a very short voting interval on a testing + network. Diagnosed by Robert Hogan. Fixes bug 1141; bugfix on + 0.2.0.8-alpha. + - Enforce multiplicity rules when parsing annotations. Bugfix on + 0.2.0.8-alpha. Found by piebeer. + - Allow handshaking OR connections to take a full KeepalivePeriod + seconds to handshake. Previously, we would close them after + IDLE_OR_CONN_TIMEOUT (180) seconds, the same timeout as if they + were open. Bugfix on 0.2.1.26; fixes bug 1840. Thanks to mingw-san + for analysis help. + - When building with --enable-gcc-warnings on OpenBSD, disable + warnings in system headers. This makes --enable-gcc-warnings + pass on OpenBSD 4.8. + + o Minor features: + - Exit nodes didn't recognize EHOSTUNREACH as a plausible error code, + and so sent back END_STREAM_REASON_MISC. Clients now recognize a new + stream ending reason for this case: END_STREAM_REASON_NOROUTE. + Servers can start sending this code when enough clients recognize + it. Bugfix on 0.1.0.1-rc; fixes part of bug 1793. + - Build correctly on mingw with more recent versions of OpenSSL 0.9.8. + Patch from mingw-san. + + o Removed files: + - Remove the old debian/ directory from the main Tor distribution. + The official Tor-for-debian git repository lives at the URL + https://git.torproject.org/debian/tor.git + - Stop shipping the old doc/website/ directory in the tarball. We + changed the website format in late 2010, and what we shipped in + 0.2.1.26 really wasn't that useful anyway. + + Changes in version 0.2.2.19-alpha - 2010-11-22 Yet another OpenSSL security patch broke its compatibility with Tor: Tor 0.2.2.19-alpha makes relays work with OpenSSL 0.9.8p and 1.0.0.b. @@ -543,9 +2319,10 @@ Changes in version 0.2.2.14-alpha - 2010-07-12 o Minor features: - New config option "WarnUnsafeSocks 0" disables the warning that - occurs whenever Tor receives only an IP address instead of a - hostname. Setups that do DNS locally over Tor are fine, and we - shouldn't spam the logs in that case. + occurs whenever Tor receives a socks handshake using a version of + the socks protocol that can only provide an IP address (rather + than a hostname). Setups that do DNS locally over Tor are fine, + and we shouldn't spam the logs in that case. - Convert the HACKING file to asciidoc, and add a few new sections to it, explaining how we use Git, how we make changelogs, and what should go in a patch. @@ -1478,8 +3255,8 @@ Changes in version 0.2.2.1-alpha - 2009-08-26 oldest-bug prize. o New options for gathering stats safely: - - Directories that set "DirReqStatistics 1" write statistics on - directory request to disk every 24 hours. As compared to the + - Directory mirrors that set "DirReqStatistics 1" write statistics + about directory requests to disk every 24 hours. As compared to the --enable-geoip-stats flag in 0.2.1.x, there are a few improvements: 1) stats are written to disk exactly every 24 hours; 2) estimated shares of v2 and v3 requests are determined as mean values, not at @@ -1517,9 +3294,9 @@ Changes in version 0.2.2.1-alpha - 2009-08-26 the git commit (when we're building from a git checkout). o Minor bugfixes: - - If any the v3 certs we download are unparseable, we should actually - notice the failure so we don't retry indefinitely. Bugfix on - 0.2.0.x; reported by "rotator". + - If any of the v3 certs we download are unparseable, we should + actually notice the failure so we don't retry indefinitely. Bugfix + on 0.2.0.x; reported by "rotator". - If the cached cert file is unparseable, warn but don't exit. - Fix possible segmentation fault on directory authorities. Bugfix on 0.2.1.14-rc. diff --git a/ReleaseNotes b/ReleaseNotes index 7ba473e907..bfb1374130 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -3,6 +3,1764 @@ This document summarizes new features and bugfixes in each stable release of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file. +Changes in version 0.2.2.36 - 2012-04-?? + Tor 0.2.2.36 updates the addresses for two of the eight directory + authorities, fixes some potential anonymity and security issues, + and fixes several crash bugs. + + Tor 0.2.1.x has reached its end-of-life. Those Tor versions have many + known flaws, and nobody should be using them. You should upgrade. If + you're using a Linux or BSD and its packages are obsolete, stop using + those packages and upgrade anyway. + + o Directory authority changes: + - Change IP address for maatuska (v3 directory authority). + - Change IP address for ides (v3 directory authority), and rename + it to turtles. + + o Security fixes: + - When building or running with any version of OpenSSL earlier + than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL + versions have a bug (CVE-2011-4576) in which their block cipher + padding includes uninitialized data, potentially leaking sensitive + information to any peer with whom they make a SSLv3 connection. Tor + does not use SSL v3 by default, but a hostile client or server + could force an SSLv3 connection in order to gain information that + they shouldn't have been able to get. The best solution here is to + upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building + or running with a non-upgraded OpenSSL, we disable SSLv3 entirely + to make sure that the bug can't happen. + - Never use a bridge or a controller-supplied node as an exit, even + if its exit policy allows it. Found by wanoskarnet. Fixes bug + 5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors) + and 0.2.0.3-alpha (for bridge-purpose descriptors). + - Only build circuits if we have a sufficient threshold of the total + descriptors that are marked in the consensus with the "Exit" + flag. This mitigates an attack proposed by wanoskarnet, in which + all of a client's bridges collude to restrict the exit nodes that + the client knows about. Fixes bug 5343. + - Provide controllers with a safer way to implement the cookie + authentication mechanism. With the old method, if another locally + running program could convince a controller that it was the Tor + process, then that program could trick the contoller into telling + it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE" + authentication method uses a challenge-response approach to prevent + this attack. Fixes bug 5185, implements proposal 193. + + o Major bugfixes: + - Avoid logging uninitialized data when unable to decode a hidden + service descriptor cookie. Fixes bug 5647; bugfix on 0.2.1.5-alpha. + - Avoid a client-side assertion failure when receiving an INTRODUCE2 + cell on a general purpose circuit. Fixes bug 5644; bugfix on + 0.2.1.6-alpha. + - Fix builds when the path to sed, openssl, or sha1sum contains + spaces, which is pretty common on Windows. Fixes bug 5065; bugfix + on 0.2.2.1-alpha. + - Correct our replacements for the timeradd() and timersub() functions + on platforms that lack them (for example, Windows). The timersub() + function is used when expiring circuits, while timeradd() is + currently unused. Bug report and patch by Vektor. Fixes bug 4778; + bugfix on 0.2.2.24-alpha. + - Fix the SOCKET_OK test that we use to tell when socket + creation fails so that it works on Win64. Fixes part of bug 4533; + bugfix on 0.2.2.29-beta. Bug found by wanoskarnet. + + o Minor bugfixes: + - Older Linux kernels erroneously respond to strange nmap behavior + by having accept() return successfully with a zero-length + socket. When this happens, just close the connection. Previously, + we would try harder to learn the remote address: but there was + no such remote address to learn, and our method for trying to + learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix + on 0.1.0.3-rc. Reported and diagnosed by "r1eo". + - Change the BridgePassword feature (part of the "bridge community" + design, which is not yet implemented) to use a time-independent + comparison. The old behavior might have allowed an adversary + to use timing to guess the BridgePassword value. Fixes bug 5543; + bugfix on 0.2.0.14-alpha. + - Detect and reject certain misformed escape sequences in + configuration values. Previously, these values would cause us + to crash if received in a torrc file or over an authenticated + control port. Bug found by Esteban Manchado Velázquez, and + independently by Robert Connolly from Matta Consulting who further + noted that it allows a post-authentication heap overflow. Patch + by Alexander Schrijver. Fixes bugs 5090 and 5402 (CVE 2012-1668); + bugfix on 0.2.0.16-alpha. + - Fix a compile warning when using the --enable-openbsd-malloc + configure option. Fixes bug 5340; bugfix on 0.2.0.20-rc. + - During configure, detect when we're building with clang version + 3.0 or lower and disable the -Wnormalized=id and -Woverride-init + CFLAGS. clang doesn't support them yet. + - When sending an HTTP/1.1 proxy request, include a Host header. + Fixes bug 5593; bugfix on 0.2.2.1-alpha. + + o Minor bugfixes (documentation and log messages): + - Fix a typo in a log message in rend_service_rendezvous_has_opened(). + Fixes bug 4856; bugfix on Tor 0.0.6. + - Update "ClientOnly" man page entry to explain that there isn't + really any point to messing with it. Resolves ticket 5005. + - Document the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays + directory authority option (introduced in Tor 0.2.2.34). + - Downgrade the "We're missing a certificate" message from notice + to info: people kept mistaking it for a real problem, whereas it + is seldom the problem even when we are failing to bootstrap. Fixes + bug 5067; bugfix on 0.2.0.10-alpha. + - Correctly spell "connect" in a log message on failure to create a + controlsocket. Fixes bug 4803; bugfix on 0.2.2.26-beta. + + o Minor features: + - Directory authorities now reject versions of Tor older than + 0.2.1.30, and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha + inclusive. These versions accounted for only a small fraction of + the Tor network, and have numerous known security issues. Resolves + issue 4788. + - Update to the April 3 2012 Maxmind GeoLite Country database. + + - Feature removal: + - When sending or relaying a RELAY_EARLY cell, we used to convert + it to a RELAY cell if the connection was using the v1 link + protocol. This was a workaround for older versions of Tor, which + didn't handle RELAY_EARLY cells properly. Now that all supported + versions can handle RELAY_EARLY cells, and now that we're enforcing + the "no RELAY_EXTEND commands except in RELAY_EARLY cells" rule, + remove this workaround. Addresses bug 4786. + + +Changes in version 0.2.2.35 - 2011-12-16 + Tor 0.2.2.35 fixes a critical heap-overflow security issue in Tor's + buffers code. Absolutely everybody should upgrade. + + The bug relied on an incorrect calculation when making data continuous + in one of our IO buffers, if the first chunk of the buffer was + misaligned by just the wrong amount. The miscalculation would allow an + attacker to overflow a piece of heap-allocated memory. To mount this + attack, the attacker would need to either open a SOCKS connection to + Tor's SocksPort (usually restricted to localhost), or target a Tor + instance configured to make its connections through a SOCKS proxy + (which Tor does not do by default). + + Good security practice requires that all heap-overflow bugs should be + presumed to be exploitable until proven otherwise, so we are treating + this as a potential code execution attack. Please upgrade immediately! + This bug does not affect bufferevents-based builds of Tor. Special + thanks to "Vektor" for reporting this issue to us! + + Tor 0.2.2.35 also fixes several bugs in previous versions, including + crash bugs for unusual configurations, and a long-term bug that + would prevent Tor from starting on Windows machines with draconian + AV software. + + With this release, we remind everyone that 0.2.0.x has reached its + formal end-of-life. Those Tor versions have many known flaws, and + nobody should be using them. You should upgrade -- ideally to the + 0.2.2.x series. If you're using a Linux or BSD and its packages are + obsolete, stop using those packages and upgrade anyway. + + The Tor 0.2.1.x series is also approaching its end-of-life: it will no + longer receive support after some time in early 2012. + + o Major bugfixes: + - Fix a heap overflow bug that could occur when trying to pull + data into the first chunk of a buffer, when that chunk had + already had some data drained from it. Fixes CVE-2011-2778; + bugfix on 0.2.0.16-alpha. Reported by "Vektor". + - Initialize Libevent with the EVENT_BASE_FLAG_NOLOCK flag enabled, so + that it doesn't attempt to allocate a socketpair. This could cause + some problems on Windows systems with overzealous firewalls. Fix for + bug 4457; workaround for Libevent versions 2.0.1-alpha through + 2.0.15-stable. + - If we mark an OR connection for close based on a cell we process, + don't process any further cells on it. We already avoid further + reads on marked-for-close connections, but now we also discard the + cells we'd already read. Fixes bug 4299; bugfix on 0.2.0.10-alpha, + which was the first version where we might mark a connection for + close based on processing a cell on it. + - Correctly sanity-check that we don't underflow on a memory + allocation (and then assert) for hidden service introduction + point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410; + bugfix on 0.2.1.5-alpha. + - Fix a memory leak when we check whether a hidden service + descriptor has any usable introduction points left. Fixes bug + 4424. Bugfix on 0.2.2.25-alpha. + - Don't crash when we're running as a relay and don't have a GeoIP + file. Bugfix on 0.2.2.34; fixes bug 4340. This backports a fix + we've had in the 0.2.3.x branch already. + - When running as a client, do not print a misleading (and plain + wrong) log message that we're collecting "directory request" + statistics: clients don't collect statistics. Also don't create a + useless (because empty) stats file in the stats/ directory. Fixes + bug 4353; bugfix on 0.2.2.34. + + o Minor bugfixes: + - Detect failure to initialize Libevent. This fix provides better + detection for future instances of bug 4457. + - Avoid frequent calls to the fairly expensive cull_wedged_cpuworkers + function. This was eating up hideously large amounts of time on some + busy servers. Fixes bug 4518; bugfix on 0.0.9.8. + - Resolve an integer overflow bug in smartlist_ensure_capacity(). + Fixes bug 4230; bugfix on Tor 0.1.0.1-rc. Based on a patch by + Mansour Moufid. + - Don't warn about unused log_mutex in log.c when building with + --disable-threads using a recent GCC. Fixes bug 4437; bugfix on + 0.1.0.6-rc which introduced --disable-threads. + - When configuring, starting, or stopping an NT service, stop + immediately after the service configuration attempt has succeeded + or failed. Fixes bug 3963; bugfix on 0.2.0.7-alpha. + - When sending a NETINFO cell, include the original address + received for the other side, not its canonical address. Found + by "troll_un"; fixes bug 4349; bugfix on 0.2.0.10-alpha. + - Fix a typo in a hibernation-related log message. Fixes bug 4331; + bugfix on 0.2.2.23-alpha; found by "tmpname0901". + - Fix a memory leak in launch_direct_bridge_descriptor_fetch() that + occurred when a client tried to fetch a descriptor for a bridge + in ExcludeNodes. Fixes bug 4383; bugfix on 0.2.2.25-alpha. + - Backport fixes for a pair of compilation warnings on Windows. + Fixes bug 4521; bugfix on 0.2.2.28-beta and on 0.2.2.29-beta. + - If we had ever tried to call tor_addr_to_str on an address of + unknown type, we would have done a strdup on an uninitialized + buffer. Now we won't. Fixes bug 4529; bugfix on 0.2.1.3-alpha. + Reported by "troll_un". + - Correctly detect and handle transient lookup failures from + tor_addr_lookup. Fixes bug 4530; bugfix on 0.2.1.5-alpha. + Reported by "troll_un". + - Fix null-pointer access that could occur if TLS allocation failed. + Fixes bug 4531; bugfix on 0.2.0.20-rc. Found by "troll_un". + - Use tor_socket_t type for listener argument to accept(). Fixes bug + 4535; bugfix on 0.2.2.28-beta. Found by "troll_un". + + o Minor features: + - Add two new config options for directory authorities: + AuthDirFastGuarantee sets a bandwidth threshold for guaranteeing the + Fast flag, and AuthDirGuardBWGuarantee sets a bandwidth threshold + that is always sufficient to satisfy the bandwidth requirement for + the Guard flag. Now it will be easier for researchers to simulate + Tor networks with different values. Resolves ticket 4484. + - When Tor ignores a hidden service specified in its configuration, + include the hidden service's directory in the warning message. + Previously, we would only tell the user that some hidden service + was ignored. Bugfix on 0.0.6; fixes bug 4426. + - Update to the December 6 2011 Maxmind GeoLite Country database. + + o Packaging changes: + - Make it easier to automate expert package builds on Windows, + by removing an absolute path from makensis.exe command. + + +Changes in version 0.2.1.32 - 2011-12-16 + Tor 0.2.1.32 backports important security and privacy fixes for + oldstable. This release is intended only for package maintainers and + others who cannot use the 0.2.2 stable series. All others should be + using Tor 0.2.2.x or newer. + + The Tor 0.2.1.x series will reach formal end-of-life some time in + early 2012; we will stop releasing patches for it then. + + o Major bugfixes (also included in 0.2.2.x): + - Correctly sanity-check that we don't underflow on a memory + allocation (and then assert) for hidden service introduction + point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410; + bugfix on 0.2.1.5-alpha. + - Fix a heap overflow bug that could occur when trying to pull + data into the first chunk of a buffer, when that chunk had + already had some data drained from it. Fixes CVE-2011-2778; + bugfix on 0.2.0.16-alpha. Reported by "Vektor". + + o Minor features: + - Update to the December 6 2011 Maxmind GeoLite Country database. + + +Changes in version 0.2.2.34 - 2011-10-26 + Tor 0.2.2.34 fixes a critical anonymity vulnerability where an attacker + can deanonymize Tor users. Everybody should upgrade. + + The attack relies on four components: 1) Clients reuse their TLS cert + when talking to different relays, so relays can recognize a user by + the identity key in her cert. 2) An attacker who knows the client's + identity key can probe each guard relay to see if that identity key + is connected to that guard relay right now. 3) A variety of active + attacks in the literature (starting from "Low-Cost Traffic Analysis + of Tor" by Murdoch and Danezis in 2005) allow a malicious website to + discover the guard relays that a Tor user visiting the website is using. + 4) Clients typically pick three guards at random, so the set of guards + for a given user could well be a unique fingerprint for her. This + release fixes components #1 and #2, which is enough to block the attack; + the other two remain as open research problems. Special thanks to + "frosty_un" for reporting the issue to us! + + Clients should upgrade so they are no longer recognizable by the TLS + certs they present. Relays should upgrade so they no longer allow a + remote attacker to probe them to test whether unpatched clients are + currently connected to them. + + This release also fixes several vulnerabilities that allow an attacker + to enumerate bridge relays. Some bridge enumeration attacks still + remain; see for example proposal 188. + + o Privacy/anonymity fixes (clients): + - Clients and bridges no longer send TLS certificate chains on + outgoing OR connections. Previously, each client or bridge would + use the same cert chain for all outgoing OR connections until + its IP address changes, which allowed any relay that the client + or bridge contacted to determine which entry guards it is using. + Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un". + - If a relay receives a CREATE_FAST cell on a TLS connection, it + no longer considers that connection as suitable for satisfying a + circuit EXTEND request. Now relays can protect clients from the + CVE-2011-2768 issue even if the clients haven't upgraded yet. + - Directory authorities no longer assign the Guard flag to relays + that haven't upgraded to the above "refuse EXTEND requests + to client connections" fix. Now directory authorities can + protect clients from the CVE-2011-2768 issue even if neither + the clients nor the relays have upgraded yet. There's a new + "GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option + to let us transition smoothly, else tomorrow there would be no + guard relays. + + o Privacy/anonymity fixes (bridge enumeration): + - Bridge relays now do their directory fetches inside Tor TLS + connections, like all the other clients do, rather than connecting + directly to the DirPort like public relays do. Removes another + avenue for enumerating bridges. Fixes bug 4115; bugfix on 0.2.0.35. + - Bridges relays now build circuits for themselves in a more similar + way to how clients build them. Removes another avenue for + enumerating bridges. Fixes bug 4124; bugfix on 0.2.0.3-alpha, + when bridges were introduced. + - Bridges now refuse CREATE or CREATE_FAST cells on OR connections + that they initiated. Relays could distinguish incoming bridge + connections from client connections, creating another avenue for + enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha. + Found by "frosty_un". + + o Major bugfixes: + - Fix a crash bug when changing node restrictions while a DNS lookup + is in-progress. Fixes bug 4259; bugfix on 0.2.2.25-alpha. Bugfix + by "Tey'". + - Don't launch a useless circuit after failing to use one of a + hidden service's introduction points. Previously, we would + launch a new introduction circuit, but not set the hidden service + which that circuit was intended to connect to, so it would never + actually be used. A different piece of code would then create a + new introduction circuit correctly. Bug reported by katmagic and + found by Sebastian Hahn. Bugfix on 0.2.1.13-alpha; fixes bug 4212. + + o Minor bugfixes: + - Change an integer overflow check in the OpenBSD_Malloc code so + that GCC is less likely to eliminate it as impossible. Patch + from Mansour Moufid. Fixes bug 4059. + - When a hidden service turns an extra service-side introduction + circuit into a general-purpose circuit, free the rend_data and + intro_key fields first, so we won't leak memory if the circuit + is cannibalized for use as another service-side introduction + circuit. Bugfix on 0.2.1.7-alpha; fixes bug 4251. + - Bridges now skip DNS self-tests, to act a little more stealthily. + Fixes bug 4201; bugfix on 0.2.0.3-alpha, which first introduced + bridges. Patch by "warms0x". + - Fix internal bug-checking logic that was supposed to catch + failures in digest generation so that it will fail more robustly + if we ask for a nonexistent algorithm. Found by Coverity Scan. + Bugfix on 0.2.2.1-alpha; fixes Coverity CID 479. + - Report any failure in init_keys() calls launched because our + IP address has changed. Spotted by Coverity Scan. Bugfix on + 0.1.1.4-alpha; fixes CID 484. + + o Minor bugfixes (log messages and documentation): + - Remove a confusing dollar sign from the example fingerprint in the + man page, and also make the example fingerprint a valid one. Fixes + bug 4309; bugfix on 0.2.1.3-alpha. + - The next version of Windows will be called Windows 8, and it has + a major version of 6, minor version of 2. Correctly identify that + version instead of calling it "Very recent version". Resolves + ticket 4153; reported by funkstar. + - Downgrade log messages about circuit timeout calibration from + "notice" to "info": they don't require or suggest any human + intervention. Patch from Tom Lowenthal. Fixes bug 4063; + bugfix on 0.2.2.14-alpha. + + o Minor features: + - Turn on directory request statistics by default and include them in + extra-info descriptors. Don't break if we have no GeoIP database. + Backported from 0.2.3.1-alpha; implements ticket 3951. + - Update to the October 4 2011 Maxmind GeoLite Country database. + + +Changes in version 0.2.1.31 - 2011-10-26 + Tor 0.2.1.31 backports important security and privacy fixes for + oldstable. This release is intended only for package maintainers and + others who cannot use the 0.2.2 stable series. All others should be + using Tor 0.2.2.x or newer. + + o Security fixes (also included in 0.2.2.x): + - Replace all potentially sensitive memory comparison operations + with versions whose runtime does not depend on the data being + compared. This will help resist a class of attacks where an + adversary can use variations in timing information to learn + sensitive data. Fix for one case of bug 3122. (Safe memcmp + implementation by Robert Ransom based partially on code by DJB.) + - Fix an assert in parsing router descriptors containing IPv6 + addresses. This one took down the directory authorities when + somebody tried some experimental code. Bugfix on 0.2.1.3-alpha. + + o Privacy/anonymity fixes (also included in 0.2.2.x): + - Clients and bridges no longer send TLS certificate chains on + outgoing OR connections. Previously, each client or bridge + would use the same cert chain for all outgoing OR connections + for up to 24 hours, which allowed any relay that the client or + bridge contacted to determine which entry guards it is using. + Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by frosty_un. + - If a relay receives a CREATE_FAST cell on a TLS connection, it + no longer considers that connection as suitable for satisfying a + circuit EXTEND request. Now relays can protect clients from the + CVE-2011-2768 issue even if the clients haven't upgraded yet. + - Bridges now refuse CREATE or CREATE_FAST cells on OR connections + that they initiated. Relays could distinguish incoming bridge + connections from client connections, creating another avenue for + enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha. + Found by "frosty_un". + - When receiving a hidden service descriptor, check that it is for + the hidden service we wanted. Previously, Tor would store any + hidden service descriptors that a directory gave it, whether it + wanted them or not. This wouldn't have let an attacker impersonate + a hidden service, but it did let directories pre-seed a client + with descriptors that it didn't want. Bugfix on 0.0.6. + - Avoid linkability based on cached hidden service descriptors: forget + all hidden service descriptors cached as a client when processing a + SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6. + - Make the bridge directory authority refuse to answer directory + requests for "all" descriptors. It used to include bridge + descriptors in its answer, which was a major information leak. + Found by "piebeer". Bugfix on 0.2.0.3-alpha. + - Don't attach new streams to old rendezvous circuits after SIGNAL + NEWNYM. Previously, we would keep using an existing rendezvous + circuit if it remained open (i.e. if it were kept open by a + long-lived stream, or if a new stream were attached to it before + Tor could notice that it was old and no longer in use). Bugfix on + 0.1.1.15-rc; fixes bug 3375. + + o Minor bugfixes (also included in 0.2.2.x): + - When we restart our relay, we might get a successful connection + from the outside before we've started our reachability tests, + triggering a warning: "ORPort found reachable, but I have no + routerinfo yet. Failing to inform controller of success." This + bug was harmless unless Tor is running under a controller + like Vidalia, in which case the controller would never get a + REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha; + fixes bug 1172. + - Build correctly on OSX with zlib 1.2.4 and higher with all warnings + enabled. Fixes bug 1526. + - Remove undocumented option "-F" from tor-resolve: it hasn't done + anything since 0.2.1.16-rc. + - Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned. + None of the cases where we did this before were wrong, but by making + this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28. + - Fix a rare crash bug that could occur when a client was configured + with a large number of bridges. Fixes bug 2629; bugfix on + 0.2.1.2-alpha. Bugfix by trac user "shitlei". + - Correct the warning displayed when a rendezvous descriptor exceeds + the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by + John Brooks. + - Fix an uncommon assertion failure when running with DNSPort under + heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha. + - When warning about missing zlib development packages during compile, + give the correct package names. Bugfix on 0.2.0.1-alpha. + - Require that introduction point keys and onion keys have public + exponent 65537. Bugfix on 0.2.0.10-alpha. + - Do not crash when our configuration file becomes unreadable, for + example due to a permissions change, between when we start up + and when a controller calls SAVECONF. Fixes bug 3135; bugfix + on 0.0.9pre6. + - Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option. + Fixes bug 3208. + - Always NUL-terminate the sun_path field of a sockaddr_un before + passing it to the kernel. (Not a security issue: kernels are + smart enough to reject bad sockaddr_uns.) Found by Coverity; + CID #428. Bugfix on Tor 0.2.0.3-alpha. + - Don't stack-allocate the list of supplementary GIDs when we're + about to log them. Stack-allocating NGROUPS_MAX gid_t elements + could take up to 256K, which is way too much stack. Found by + Coverity; CID #450. Bugfix on 0.2.1.7-alpha. + + o Minor bugfixes (only in 0.2.1.x): + - Resume using micro-version numbers in 0.2.1.x: our Debian packages + rely on them. Bugfix on 0.2.1.30. + - Use git revisions instead of svn revisions when generating our + micro-version numbers. Bugfix on 0.2.1.15-rc; fixes bug 2402. + + o Minor features (also included in 0.2.2.x): + - Adjust the expiration time on our SSL session certificates to + better match SSL certs seen in the wild. Resolves ticket 4014. + - Allow nameservers with IPv6 address. Resolves bug 2574. + - Update to the October 4 2011 Maxmind GeoLite Country database. + + +Changes in version 0.2.2.33 - 2011-09-13 + Tor 0.2.2.33 fixes several bugs, and includes a slight tweak to Tor's + TLS handshake that makes relays and bridges that run this new version + reachable from Iran again. + + o Major bugfixes: + - Avoid an assertion failure when reloading a configuration with + TrackExitHosts changes. Found and fixed by 'laruldan'. Fixes bug + 3923; bugfix on 0.2.2.25-alpha. + + o Minor features (security): + - Check for replays of the public-key encrypted portion of an + INTRODUCE1 cell, in addition to the current check for replays of + the g^x value. This prevents a possible class of active attacks + by an attacker who controls both an introduction point and a + rendezvous point, and who uses the malleability of AES-CTR to + alter the encrypted g^x portion of the INTRODUCE1 cell. We think + that these attacks are infeasible (requiring the attacker to send + on the order of zettabytes of altered cells in a short interval), + but we'd rather block them off in case there are any classes of + this attack that we missed. Reported by Willem Pinckaers. + + o Minor features: + - Adjust the expiration time on our SSL session certificates to + better match SSL certs seen in the wild. Resolves ticket 4014. + - Change the default required uptime for a relay to be accepted as + a HSDir (hidden service directory) from 24 hours to 25 hours. + Improves on 0.2.0.10-alpha; resolves ticket 2649. + - Add a VoteOnHidServDirectoriesV2 config option to allow directory + authorities to abstain from voting on assignment of the HSDir + consensus flag. Related to bug 2649. + - Update to the September 6 2011 Maxmind GeoLite Country database. + + o Minor bugfixes (documentation and log messages): + - Correct the man page to explain that HashedControlPassword and + CookieAuthentication can both be set, in which case either method + is sufficient to authenticate to Tor. Bugfix on 0.2.0.7-alpha, + when we decided to allow these config options to both be set. Issue + raised by bug 3898. + - Demote the 'replay detected' log message emitted when a hidden + service receives the same Diffie-Hellman public key in two different + INTRODUCE2 cells to info level. A normal Tor client can cause that + log message during its normal operation. Bugfix on 0.2.1.6-alpha; + fixes part of bug 2442. + - Demote the 'INTRODUCE2 cell is too {old,new}' log message to info + level. There is nothing that a hidden service's operator can do + to fix its clients' clocks. Bugfix on 0.2.1.6-alpha; fixes part + of bug 2442. + - Clarify a log message specifying the characters permitted in + HiddenServiceAuthorizeClient client names. Previously, the log + message said that "[A-Za-z0-9+-_]" were permitted; that could have + given the impression that every ASCII character between "+" and "_" + was permitted. Now we say "[A-Za-z0-9+_-]". Bugfix on 0.2.1.5-alpha. + + o Build fixes: + - Provide a substitute implementation of lround() for MSVC, which + apparently lacks it. Patch from Gisle Vanem. + - Clean up some code issues that prevented Tor from building on older + BSDs. Fixes bug 3894; reported by "grarpamp". + - Search for a platform-specific version of "ar" when cross-compiling. + Should fix builds on iOS. Resolves bug 3909, found by Marco Bonetti. + + +Changes in version 0.2.2.32 - 2011-08-27 + The Tor 0.2.2 release series is dedicated to the memory of Andreas + Pfitzmann (1958-2010), a pioneer in anonymity and privacy research, + a founder of the PETS community, a leader in our field, a mentor, + and a friend. He left us with these words: "I had the possibility + to contribute to this world that is not as it should be. I hope I + could help in some areas to make the world a better place, and that + I could also encourage other people to be engaged in improving the + world. Please, stay engaged. This world needs you, your love, your + initiative -- now I cannot be part of that anymore." + + Tor 0.2.2.32, the first stable release in the 0.2.2 branch, is finally + ready. More than two years in the making, this release features improved + client performance and hidden service reliability, better compatibility + for Android, correct behavior for bridges that listen on more than + one address, more extensible and flexible directory object handling, + better reporting of network statistics, improved code security, and + many many other features and bugfixes. + + o Major features (client performance): + - When choosing which cells to relay first, relays now favor circuits + that have been quiet recently, to provide lower latency for + low-volume circuits. By default, relays enable or disable this + feature based on a setting in the consensus. They can override + this default by using the new "CircuitPriorityHalflife" config + option. Design and code by Ian Goldberg, Can Tang, and Chris + Alexander. + - Directory authorities now compute consensus weightings that instruct + clients how to weight relays flagged as Guard, Exit, Guard+Exit, + and no flag. Clients use these weightings to distribute network load + more evenly across these different relay types. The weightings are + in the consensus so we can change them globally in the future. Extra + thanks to "outofwords" for finding some nasty security bugs in + the first implementation of this feature. + + o Major features (client performance, circuit build timeout): + - Tor now tracks how long it takes to build client-side circuits + over time, and adapts its timeout to local network performance. + Since a circuit that takes a long time to build will also provide + bad performance, we get significant latency improvements by + discarding the slowest 20% of circuits. Specifically, Tor creates + circuits more aggressively than usual until it has enough data + points for a good timeout estimate. Implements proposal 151. + - Circuit build timeout constants can be controlled by consensus + parameters. We set good defaults for these parameters based on + experimentation on broadband and simulated high-latency links. + - Circuit build time learning can be disabled via consensus parameter + or by the client via a LearnCircuitBuildTimeout config option. We + also automatically disable circuit build time calculation if either + AuthoritativeDirectory is set, or if we fail to write our state + file. Implements ticket 1296. + + o Major features (relays use their capacity better): + - Set SO_REUSEADDR socket option on all sockets, not just + listeners. This should help busy exit nodes avoid running out of + useable ports just because all the ports have been used in the + near past. Resolves issue 2850. + - Relays now save observed peak bandwidth throughput rates to their + state file (along with total usage, which was already saved), + so that they can determine their correct estimated bandwidth on + restart. Resolves bug 1863, where Tor relays would reset their + estimated bandwidth to 0 after restarting. + - Lower the maximum weighted-fractional-uptime cutoff to 98%. This + should give us approximately 40-50% more Guard-flagged nodes, + improving the anonymity the Tor network can provide and also + decreasing the dropoff in throughput that relays experience when + they first get the Guard flag. + - Directory authorities now take changes in router IP address and + ORPort into account when determining router stability. Previously, + if a router changed its IP or ORPort, the authorities would not + treat it as having any downtime for the purposes of stability + calculation, whereas clients would experience downtime since the + change would take a while to propagate to them. Resolves issue 1035. + - New AccelName and AccelDir options add support for dynamic OpenSSL + hardware crypto acceleration engines. + + o Major features (relays control their load better): + - Exit relays now try harder to block exit attempts from unknown + relays, to make it harder for people to use them as one-hop proxies + a la tortunnel. Controlled by the refuseunknownexits consensus + parameter (currently enabled), or you can override it on your + relay with the RefuseUnknownExits torrc option. Resolves bug 1751; + based on a variant of proposal 163. + - Add separate per-conn write limiting to go with the per-conn read + limiting. We added a global write limit in Tor 0.1.2.5-alpha, + but never per-conn write limits. + - New consensus params "bwconnrate" and "bwconnburst" to let us + rate-limit client connections as they enter the network. It's + controlled in the consensus so we can turn it on and off for + experiments. It's starting out off. Based on proposal 163. + + o Major features (controllers): + - Export GeoIP information on bridge usage to controllers even if we + have not yet been running for 24 hours. Now Vidalia bridge operators + can get more accurate and immediate feedback about their + contributions to the network. + - Add an __OwningControllerProcess configuration option and a + TAKEOWNERSHIP control-port command. Now a Tor controller can ensure + that when it exits, Tor will shut down. Implements feature 3049. + + o Major features (directory authorities): + - Directory authorities now create, vote on, and serve multiple + parallel formats of directory data as part of their voting process. + Partially implements Proposal 162: "Publish the consensus in + multiple flavors". + - Directory authorities now agree on and publish small summaries + of router information that clients can use in place of regular + server descriptors. This transition will allow Tor 0.2.3 clients + to use far less bandwidth for downloading information about the + network. Begins the implementation of Proposal 158: "Clients + download consensus + microdescriptors". + - The directory voting system is now extensible to use multiple hash + algorithms for signatures and resource selection. Newer formats + are signed with SHA256, with a possibility for moving to a better + hash algorithm in the future. + - Directory authorities can now vote on arbitary integer values as + part of the consensus process. This is designed to help set + network-wide parameters. Implements proposal 167. + + o Major features and bugfixes (node selection): + - Revise and reconcile the meaning of the ExitNodes, EntryNodes, + ExcludeEntryNodes, ExcludeExitNodes, ExcludeNodes, and Strict*Nodes + options. Previously, we had been ambiguous in describing what + counted as an "exit" node, and what operations exactly "StrictNodes + 0" would permit. This created confusion when people saw nodes built + through unexpected circuits, and made it hard to tell real bugs from + surprises. Now the intended behavior is: + . "Exit", in the context of ExitNodes and ExcludeExitNodes, means + a node that delivers user traffic outside the Tor network. + . "Entry", in the context of EntryNodes, means a node used as the + first hop of a multihop circuit. It doesn't include direct + connections to directory servers. + . "ExcludeNodes" applies to all nodes. + . "StrictNodes" changes the behavior of ExcludeNodes only. When + StrictNodes is set, Tor should avoid all nodes listed in + ExcludeNodes, even when it will make user requests fail. When + StrictNodes is *not* set, then Tor should follow ExcludeNodes + whenever it can, except when it must use an excluded node to + perform self-tests, connect to a hidden service, provide a + hidden service, fulfill a .exit request, upload directory + information, or fetch directory information. + Collectively, the changes to implement the behavior fix bug 1090. + - If EntryNodes, ExitNodes, ExcludeNodes, or ExcludeExitNodes + change during a config reload, mark and discard all our origin + circuits. This fix should address edge cases where we change the + config options and but then choose a circuit that we created before + the change. + - Make EntryNodes config option much more aggressive even when + StrictNodes is not set. Before it would prepend your requested + entrynodes to your list of guard nodes, but feel free to use others + after that. Now it chooses only from your EntryNodes if any of + those are available, and only falls back to others if a) they're + all down and b) StrictNodes is not set. + - Now we refresh your entry guards from EntryNodes at each consensus + fetch -- rather than just at startup and then they slowly rot as + the network changes. + - Add support for the country code "{??}" in torrc options like + ExcludeNodes, to indicate all routers of unknown country. Closes + bug 1094. + - ExcludeNodes now takes precedence over EntryNodes and ExitNodes: if + a node is listed in both, it's treated as excluded. + - ExcludeNodes now applies to directory nodes -- as a preference if + StrictNodes is 0, or an absolute requirement if StrictNodes is 1. + Don't exclude all the directory authorities and set StrictNodes to 1 + unless you really want your Tor to break. + - ExcludeNodes and ExcludeExitNodes now override exit enclaving. + - ExcludeExitNodes now overrides .exit requests. + - We don't use bridges listed in ExcludeNodes. + - When StrictNodes is 1: + . We now apply ExcludeNodes to hidden service introduction points + and to rendezvous points selected by hidden service users. This + can make your hidden service less reliable: use it with caution! + . If we have used ExcludeNodes on ourself, do not try relay + reachability self-tests. + . If we have excluded all the directory authorities, we will not + even try to upload our descriptor if we're a relay. + . Do not honor .exit requests to an excluded node. + - When the set of permitted nodes changes, we now remove any mappings + introduced via TrackExitHosts to now-excluded nodes. Bugfix on + 0.1.0.1-rc. + - We never cannibalize a circuit that had excluded nodes on it, even + if StrictNodes is 0. Bugfix on 0.1.0.1-rc. + - Improve log messages related to excluded nodes. + + o Major features (misc): + - Numerous changes, bugfixes, and workarounds from Nathan Freitas + to help Tor build correctly for Android phones. + - The options SocksPort, ControlPort, and so on now all accept a + value "auto" that opens a socket on an OS-selected port. A + new ControlPortWriteToFile option tells Tor to write its + actual control port or ports to a chosen file. If the option + ControlPortFileGroupReadable is set, the file is created as + group-readable. Now users can run two Tor clients on the same + system without needing to manually mess with parameters. Resolves + part of ticket 3076. + - Tor now supports tunneling all of its outgoing connections over + a SOCKS proxy, using the SOCKS4Proxy and/or SOCKS5Proxy + configuration options. Code by Christopher Davis. + + o Code security improvements: + - Replace all potentially sensitive memory comparison operations + with versions whose runtime does not depend on the data being + compared. This will help resist a class of attacks where an + adversary can use variations in timing information to learn + sensitive data. Fix for one case of bug 3122. (Safe memcmp + implementation by Robert Ransom based partially on code by DJB.) + - Enable Address Space Layout Randomization (ASLR) and Data Execution + Prevention (DEP) by default on Windows to make it harder for + attackers to exploit vulnerabilities. Patch from John Brooks. + - New "--enable-gcc-hardening" ./configure flag (off by default) + to turn on gcc compile time hardening options. It ensures + that signed ints have defined behavior (-fwrapv), enables + -D_FORTIFY_SOURCE=2 (requiring -O2), adds stack smashing protection + with canaries (-fstack-protector-all), turns on ASLR protection if + supported by the kernel (-fPIE, -pie), and adds additional security + related warnings. Verified to work on Mac OS X and Debian Lenny. + - New "--enable-linker-hardening" ./configure flag (off by default) + to turn on ELF specific hardening features (relro, now). This does + not work with Mac OS X or any other non-ELF binary format. + - Always search the Windows system directory for system DLLs, and + nowhere else. Bugfix on 0.1.1.23; fixes bug 1954. + - New DisableAllSwap option. If set to 1, Tor will attempt to lock all + current and future memory pages via mlockall(). On supported + platforms (modern Linux and probably BSD but not Windows or OS X), + this should effectively disable any and all attempts to page out + memory. This option requires that you start your Tor as root -- + if you use DisableAllSwap, please consider using the User option + to properly reduce the privileges of your Tor. + + o Major bugfixes (crashes): + - Fix crash bug on platforms where gmtime and localtime can return + NULL. Windows 7 users were running into this one. Fixes part of bug + 2077. Bugfix on all versions of Tor. Found by boboper. + - Introduce minimum/maximum values that clients will believe + from the consensus. Now we'll have a better chance to avoid crashes + or worse when a consensus param has a weird value. + - Fix a rare crash bug that could occur when a client was configured + with a large number of bridges. Fixes bug 2629; bugfix on + 0.2.1.2-alpha. Bugfix by trac user "shitlei". + - Do not crash when our configuration file becomes unreadable, for + example due to a permissions change, between when we start up + and when a controller calls SAVECONF. Fixes bug 3135; bugfix + on 0.0.9pre6. + - If we're in the pathological case where there's no exit bandwidth + but there is non-exit bandwidth, or no guard bandwidth but there + is non-guard bandwidth, don't crash during path selection. Bugfix + on 0.2.0.3-alpha. + - Fix a crash bug when trying to initialize the evdns module in + Libevent 2. Bugfix on 0.2.1.16-rc. + + o Major bugfixes (stability): + - Fix an assert in parsing router descriptors containing IPv6 + addresses. This one took down the directory authorities when + somebody tried some experimental code. Bugfix on 0.2.1.3-alpha. + - Fix an uncommon assertion failure when running with DNSPort under + heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha. + - Treat an unset $HOME like an empty $HOME rather than triggering an + assert. Bugfix on 0.0.8pre1; fixes bug 1522. + - More gracefully handle corrupt state files, removing asserts + in favor of saving a backup and resetting state. + - Instead of giving an assertion failure on an internal mismatch + on estimated freelist size, just log a BUG warning and try later. + Mitigates but does not fix bug 1125. + - Fix an assert that got triggered when using the TestingTorNetwork + configuration option and then issuing a GETINFO config-text control + command. Fixes bug 2250; bugfix on 0.2.1.2-alpha. + - If the cached cert file is unparseable, warn but don't exit. + + o Privacy fixes (relays/bridges): + - Don't list Windows capabilities in relay descriptors. We never made + use of them, and maybe it's a bad idea to publish them. Bugfix + on 0.1.1.8-alpha. + - If the Nickname configuration option isn't given, Tor would pick a + nickname based on the local hostname as the nickname for a relay. + Because nicknames are not very important in today's Tor and the + "Unnamed" nickname has been implemented, this is now problematic + behavior: It leaks information about the hostname without being + useful at all. Fixes bug 2979; bugfix on 0.1.2.2-alpha, which + introduced the Unnamed nickname. Reported by tagnaq. + - Maintain separate TLS contexts and certificates for incoming and + outgoing connections in bridge relays. Previously we would use the + same TLS contexts and certs for incoming and outgoing connections. + Bugfix on 0.2.0.3-alpha; addresses bug 988. + - Maintain separate identity keys for incoming and outgoing TLS + contexts in bridge relays. Previously we would use the same + identity keys for incoming and outgoing TLS contexts. Bugfix on + 0.2.0.3-alpha; addresses the other half of bug 988. + - Make the bridge directory authority refuse to answer directory + requests for "all descriptors". It used to include bridge + descriptors in its answer, which was a major information leak. + Found by "piebeer". Bugfix on 0.2.0.3-alpha. + + o Privacy fixes (clients): + - When receiving a hidden service descriptor, check that it is for + the hidden service we wanted. Previously, Tor would store any + hidden service descriptors that a directory gave it, whether it + wanted them or not. This wouldn't have let an attacker impersonate + a hidden service, but it did let directories pre-seed a client + with descriptors that it didn't want. Bugfix on 0.0.6. + - Start the process of disabling ".exit" address notation, since it + can be used for a variety of esoteric application-level attacks + on users. To reenable it, set "AllowDotExit 1" in your torrc. Fix + on 0.0.9rc5. + - Reject attempts at the client side to open connections to private + IP addresses (like 127.0.0.1, 10.0.0.1, and so on) with + a randomly chosen exit node. Attempts to do so are always + ill-defined, generally prevented by exit policies, and usually + in error. This will also help to detect loops in transparent + proxy configurations. You can disable this feature by setting + "ClientRejectInternalAddresses 0" in your torrc. + - Log a notice when we get a new control connection. Now it's easier + for security-conscious users to recognize when a local application + is knocking on their controller door. Suggested by bug 1196. + + o Privacy fixes (newnym): + - Avoid linkability based on cached hidden service descriptors: forget + all hidden service descriptors cached as a client when processing a + SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6. + - On SIGHUP, do not clear out all TrackHostExits mappings, client + DNS cache entries, and virtual address mappings: that's what + NEWNYM is for. Fixes bug 1345; bugfix on 0.1.0.1-rc. + - Don't attach new streams to old rendezvous circuits after SIGNAL + NEWNYM. Previously, we would keep using an existing rendezvous + circuit if it remained open (i.e. if it were kept open by a + long-lived stream, or if a new stream were attached to it before + Tor could notice that it was old and no longer in use). Bugfix on + 0.1.1.15-rc; fixes bug 3375. + + o Major bugfixes (relay bandwidth accounting): + - Fix a bug that could break accounting on 64-bit systems with large + time_t values, making them hibernate for impossibly long intervals. + Fixes bug 2146. Bugfix on 0.0.9pre6; fix by boboper. + - Fix a bug in bandwidth accounting that could make us use twice + the intended bandwidth when our interval start changes due to + daylight saving time. Now we tolerate skew in stored vs computed + interval starts: if the start of the period changes by no more than + 50% of the period's duration, we remember bytes that we transferred + in the old period. Fixes bug 1511; bugfix on 0.0.9pre5. + + o Major bugfixes (bridges): + - Bridges now use "reject *:*" as their default exit policy. Bugfix + on 0.2.0.3-alpha. Fixes bug 1113. + - If you configure your bridge with a known identity fingerprint, + and the bridge authority is unreachable (as it is in at least + one country now), fall back to directly requesting the descriptor + from the bridge. Finishes the feature started in 0.2.0.10-alpha; + closes bug 1138. + - Fix a bug where bridge users who configure the non-canonical + address of a bridge automatically switch to its canonical + address. If a bridge listens at more than one address, it + should be able to advertise those addresses independently and + any non-blocked addresses should continue to work. Bugfix on Tor + 0.2.0.3-alpha. Fixes bug 2510. + - If you configure Tor to use bridge A, and then quit and + configure Tor to use bridge B instead (or if you change Tor + to use bridge B via the controller), it would happily continue + to use bridge A if it's still reachable. While this behavior is + a feature if your goal is connectivity, in some scenarios it's a + dangerous bug. Bugfix on Tor 0.2.0.1-alpha; fixes bug 2511. + - When the controller configures a new bridge, don't wait 10 to 60 + seconds before trying to fetch its descriptor. Bugfix on + 0.2.0.3-alpha; fixes bug 3198 (suggested by 2355). + + o Major bugfixes (directory authorities): + - Many relays have been falling out of the consensus lately because + not enough authorities know about their descriptor for them to get + a majority of votes. When we deprecated the v2 directory protocol, + we got rid of the only way that v3 authorities can hear from each + other about other descriptors. Now authorities examine every v3 + vote for new descriptors, and fetch them from that authority. Bugfix + on 0.2.1.23. + - Authorities could be tricked into giving out the Exit flag to relays + that didn't allow exiting to any ports. This bug could screw + with load balancing and stats. Bugfix on 0.1.1.6-alpha; fixes bug + 1238. Bug discovered by Martin Kowalczyk. + - If all authorities restart at once right before a consensus vote, + nobody will vote about "Running", and clients will get a consensus + with no usable relays. Instead, authorities refuse to build a + consensus if this happens. Bugfix on 0.2.0.10-alpha; fixes bug 1066. + + o Major bugfixes (stream-level fairness): + - When receiving a circuit-level SENDME for a blocked circuit, try + to package cells fairly from all the streams that had previously + been blocked on that circuit. Previously, we had started with the + oldest stream, and allowed each stream to potentially exhaust + the circuit's package window. This gave older streams on any + given circuit priority over newer ones. Fixes bug 1937. Detected + originally by Camilo Viecco. This bug was introduced before the + first Tor release, in svn commit r152: it is the new winner of + the longest-lived bug prize. + - Fix a stream fairness bug that would cause newer streams on a given + circuit to get preference when reading bytes from the origin or + destination. Fixes bug 2210. Fix by Mashael AlSabah. This bug was + introduced before the first Tor release, in svn revision r152. + - When the exit relay got a circuit-level sendme cell, it started + reading on the exit streams, even if had 500 cells queued in the + circuit queue already, so the circuit queue just grew and grew in + some cases. We fix this by not re-enabling reading on receipt of a + sendme cell when the cell queue is blocked. Fixes bug 1653. Bugfix + on 0.2.0.1-alpha. Detected by Mashael AlSabah. Original patch by + "yetonetime". + - Newly created streams were allowed to read cells onto circuits, + even if the circuit's cell queue was blocked and waiting to drain. + This created potential unfairness, as older streams would be + blocked, but newer streams would gladly fill the queue completely. + We add code to detect this situation and prevent any stream from + getting more than one free cell. Bugfix on 0.2.0.1-alpha. Partially + fixes bug 1298. + + o Major bugfixes (hidden services): + - Apply circuit timeouts to opened hidden-service-related circuits + based on the correct start time. Previously, we would apply the + circuit build timeout based on time since the circuit's creation; + it was supposed to be applied based on time since the circuit + entered its current state. Bugfix on 0.0.6; fixes part of bug 1297. + - Improve hidden service robustness: When we find that we have + extended a hidden service's introduction circuit to a relay not + listed as an introduction point in the HS descriptor we currently + have, retry with an introduction point from the current + descriptor. Previously we would just give up. Fixes bugs 1024 and + 1930; bugfix on 0.2.0.10-alpha. + - Directory authorities now use data collected from their own + uptime observations when choosing whether to assign the HSDir flag + to relays, instead of trusting the uptime value the relay reports in + its descriptor. This change helps prevent an attack where a small + set of nodes with frequently-changing identity keys can blackhole + a hidden service. (Only authorities need upgrade; others will be + fine once they do.) Bugfix on 0.2.0.10-alpha; fixes bug 2709. + - Stop assigning the HSDir flag to relays that disable their + DirPort (and thus will refuse to answer directory requests). This + fix should dramatically improve the reachability of hidden services: + hidden services and hidden service clients pick six HSDir relays + to store and retrieve the hidden service descriptor, and currently + about half of the HSDir relays will refuse to work. Bugfix on + 0.2.0.10-alpha; fixes part of bug 1693. + + o Major bugfixes (misc): + - Clients now stop trying to use an exit node associated with a given + destination by TrackHostExits if they fail to reach that exit node. + Fixes bug 2999. Bugfix on 0.2.0.20-rc. + - Fix a regression that caused Tor to rebind its ports if it receives + SIGHUP while hibernating. Bugfix in 0.1.1.6-alpha; closes bug 919. + - Remove an extra pair of quotation marks around the error + message in control-port STATUS_GENERAL BUG events. Bugfix on + 0.1.2.6-alpha; fixes bug 3732. + + o Minor features (relays): + - Ensure that no empty [dirreq-](read|write)-history lines are added + to an extrainfo document. Implements ticket 2497. + - When bandwidth accounting is enabled, be more generous with how + much bandwidth we'll use up before entering "soft hibernation". + Previously, we'd refuse new connections and circuits once we'd + used up 95% of our allotment. Now, we use up 95% of our allotment, + AND make sure that we have no more than 500MB (or 3 hours of + expected traffic, whichever is lower) remaining before we enter + soft hibernation. + - Relays now log the reason for publishing a new relay descriptor, + so we have a better chance of hunting down instances of bug 1810. + Resolves ticket 3252. + - Log a little more clearly about the times at which we're no longer + accepting new connections (e.g. due to hibernating). Resolves + bug 2181. + - When AllowSingleHopExits is set, print a warning to explain to the + relay operator why most clients are avoiding her relay. + - Send END_STREAM_REASON_NOROUTE in response to EHOSTUNREACH errors. + Clients before 0.2.1.27 didn't handle NOROUTE correctly, but such + clients are already deprecated because of security bugs. + + o Minor features (network statistics): + - Directory mirrors that set "DirReqStatistics 1" write statistics + about directory requests to disk every 24 hours. As compared to the + "--enable-geoip-stats" ./configure flag in 0.2.1.x, there are a few + improvements: 1) stats are written to disk exactly every 24 hours; + 2) estimated shares of v2 and v3 requests are determined as mean + values, not at the end of a measurement period; 3) unresolved + requests are listed with country code '??'; 4) directories also + measure download times. + - Exit nodes that set "ExitPortStatistics 1" write statistics on the + number of exit streams and transferred bytes per port to disk every + 24 hours. + - Relays that set "CellStatistics 1" write statistics on how long + cells spend in their circuit queues to disk every 24 hours. + - Entry nodes that set "EntryStatistics 1" write statistics on the + rough number and origins of connecting clients to disk every 24 + hours. + - Relays that write any of the above statistics to disk and set + "ExtraInfoStatistics 1" include the past 24 hours of statistics in + their extra-info documents. Implements proposal 166. + + o Minor features (GeoIP and statistics): + - Provide a log message stating which geoip file we're parsing + instead of just stating that we're parsing the geoip file. + Implements ticket 2432. + - Make sure every relay writes a state file at least every 12 hours. + Previously, a relay could go for weeks without writing its state + file, and on a crash could lose its bandwidth history, capacity + estimates, client country statistics, and so on. Addresses bug 3012. + - Relays report the number of bytes spent on answering directory + requests in extra-info descriptors similar to {read,write}-history. + Implements enhancement 1790. + - Report only the top 10 ports in exit-port stats in order not to + exceed the maximum extra-info descriptor length of 50 KB. Implements + task 2196. + - If writing the state file to disk fails, wait up to an hour before + retrying again, rather than trying again each second. Fixes bug + 2346; bugfix on Tor 0.1.1.3-alpha. + - Delay geoip stats collection by bridges for 6 hours, not 2 hours, + when we switch from being a public relay to a bridge. Otherwise + there will still be clients that see the relay in their consensus, + and the stats will end up wrong. Bugfix on 0.2.1.15-rc; fixes + bug 932. + - Update to the August 2 2011 Maxmind GeoLite Country database. + + o Minor features (clients): + - When expiring circuits, use microsecond timers rather than + one-second timers. This can avoid an unpleasant situation where a + circuit is launched near the end of one second and expired right + near the beginning of the next, and prevent fluctuations in circuit + timeout values. + - If we've configured EntryNodes and our network goes away and/or all + our entrynodes get marked down, optimistically retry them all when + a new socks application request appears. Fixes bug 1882. + - Always perform router selections using weighted relay bandwidth, + even if we don't need a high capacity circuit at the time. Non-fast + circuits now only differ from fast ones in that they can use relays + not marked with the Fast flag. This "feature" could turn out to + be a horrible bug; we should investigate more before it goes into + a stable release. + - When we run out of directory information such that we can't build + circuits, but then get enough that we can build circuits, log when + we actually construct a circuit, so the user has a better chance of + knowing what's going on. Fixes bug 1362. + - Log SSL state transitions at debug level during handshake, and + include SSL states in error messages. This may help debug future + SSL handshake issues. + + o Minor features (directory authorities): + - When a router changes IP address or port, authorities now launch + a new reachability test for it. Implements ticket 1899. + - Directory authorities now reject relays running any versions of + Tor between 0.2.1.3-alpha and 0.2.1.18 inclusive; they have + known bugs that keep RELAY_EARLY cells from working on rendezvous + circuits. Followup to fix for bug 2081. + - Directory authorities now reject relays running any version of Tor + older than 0.2.0.26-rc. That version is the earliest that fetches + current directory information correctly. Fixes bug 2156. + - Directory authorities now do an immediate reachability check as soon + as they hear about a new relay. This change should slightly reduce + the time between setting up a relay and getting listed as running + in the consensus. It should also improve the time between setting + up a bridge and seeing use by bridge users. + - Directory authorities no longer launch a TLS connection to every + relay as they startup. Now that we have 2k+ descriptors cached, + the resulting network hiccup is becoming a burden. Besides, + authorities already avoid voting about Running for the first half + hour of their uptime. + - Directory authorities now log the source of a rejected POSTed v3 + networkstatus vote, so we can track failures better. + - Backport code from 0.2.3.x that allows directory authorities to + clean their microdescriptor caches. Needed to resolve bug 2230. + + o Minor features (hidden services): + - Use computed circuit-build timeouts to decide when to launch + parallel introduction circuits for hidden services. (Previously, + we would retry after 15 seconds.) + - Don't allow v0 hidden service authorities to act as clients. + Required by fix for bug 3000. + - Ignore SIGNAL NEWNYM commands on relay-only Tor instances. Required + by fix for bug 3000. + - Make hidden services work better in private Tor networks by not + requiring any uptime to join the hidden service descriptor + DHT. Implements ticket 2088. + - Log (at info level) when purging pieces of hidden-service-client + state because of SIGNAL NEWNYM. + + o Minor features (controller interface): + - New "GETINFO net/listeners/(type)" controller command to return + a list of addresses and ports that are bound for listeners for a + given connection type. This is useful when the user has configured + "SocksPort auto" and the controller needs to know which port got + chosen. Resolves another part of ticket 3076. + - Have the controller interface give a more useful message than + "Internal Error" in response to failed GETINFO requests. + - Add a TIMEOUT_RATE keyword to the BUILDTIMEOUT_SET control port + event, to give information on the current rate of circuit timeouts + over our stored history. + - The 'EXTENDCIRCUIT' control port command can now be used with + a circ id of 0 and no path. This feature will cause Tor to build + a new 'fast' general purpose circuit using its own path selection + algorithms. + - Added a BUILDTIMEOUT_SET controller event to describe changes + to the circuit build timeout. + - New controller command "getinfo config-text". It returns the + contents that Tor would write if you send it a SAVECONF command, + so the controller can write the file to disk itself. + + o Minor features (controller protocol): + - Add a new ControlSocketsGroupWritable configuration option: when + it is turned on, ControlSockets are group-writeable by the default + group of the current user. Patch by Jérémy Bobbio; implements + ticket 2972. + - Tor now refuses to create a ControlSocket in a directory that is + world-readable (or group-readable if ControlSocketsGroupWritable + is 0). This is necessary because some operating systems do not + enforce permissions on an AF_UNIX sockets. Permissions on the + directory holding the socket, however, seems to work everywhere. + - Warn when CookieAuthFileGroupReadable is set but CookieAuthFile is + not. This would lead to a cookie that is still not group readable. + Closes bug 1843. Suggested by katmagic. + - Future-proof the controller protocol a bit by ignoring keyword + arguments we do not recognize. + + o Minor features (more useful logging): + - Revise most log messages that refer to nodes by nickname to + instead use the "$key=nickname at address" format. This should be + more useful, especially since nicknames are less and less likely + to be unique. Resolves ticket 3045. + - When an HTTPS proxy reports "403 Forbidden", we now explain + what it means rather than calling it an unexpected status code. + Closes bug 2503. Patch from Michael Yakubovich. + - Rate-limit a warning about failures to download v2 networkstatus + documents. Resolves part of bug 1352. + - Rate-limit the "your application is giving Tor only an IP address" + warning. Addresses bug 2000; bugfix on 0.0.8pre2. + - Rate-limit "Failed to hand off onionskin" warnings. + - When logging a rate-limited warning, we now mention how many messages + got suppressed since the last warning. + - Make the formerly ugly "2 unknown, 7 missing key, 0 good, 0 bad, + 2 no signature, 4 required" messages about consensus signatures + easier to read, and make sure they get logged at the same severity + as the messages explaining which keys are which. Fixes bug 1290. + - Don't warn when we have a consensus that we can't verify because + of missing certificates, unless those certificates are ones + that we have been trying and failing to download. Fixes bug 1145. + + o Minor features (log domains): + - Add documentation for configuring logging at different severities in + different log domains. We've had this feature since 0.2.1.1-alpha, + but for some reason it never made it into the manpage. Fixes + bug 2215. + - Make it simpler to specify "All log domains except for A and B". + Previously you needed to say "[*,~A,~B]". Now you can just say + "[~A,~B]". + - Add a "LogMessageDomains 1" option to include the domains of log + messages along with the messages. Without this, there's no way + to use log domains without reading the source or doing a lot + of guessing. + - Add a new "Handshake" log domain for activities that happen + during the TLS handshake. + + o Minor features (build process): + - Make compilation with clang possible when using + "--enable-gcc-warnings" by removing two warning options that clang + hasn't implemented yet and by fixing a few warnings. Resolves + ticket 2696. + - Detect platforms that brokenly use a signed size_t, and refuse to + build there. Found and analyzed by doorss and rransom. + - Fix a bunch of compile warnings revealed by mingw with gcc 4.5. + Resolves bug 2314. + - Add support for statically linking zlib by specifying + "--enable-static-zlib", to go with our support for statically + linking openssl and libevent. Resolves bug 1358. + - Instead of adding the svn revision to the Tor version string, report + the git commit (when we're building from a git checkout). + - Rename the "log.h" header to "torlog.h" so as to conflict with fewer + system headers. + - New --digests command-line switch to output the digests of the + source files Tor was built with. + - Generate our manpage and HTML documentation using Asciidoc. This + change should make it easier to maintain the documentation, and + produce nicer HTML. The build process fails if asciidoc cannot + be found and building with asciidoc isn't disabled (via the + "--disable-asciidoc" argument to ./configure. Skipping the manpage + speeds up the build considerably. + + o Minor features (options / torrc): + - Warn when the same option is provided more than once in a torrc + file, on the command line, or in a single SETCONF statement, and + the option is one that only accepts a single line. Closes bug 1384. + - Warn when the user configures two HiddenServiceDir lines that point + to the same directory. Bugfix on 0.0.6 (the version introducing + HiddenServiceDir); fixes bug 3289. + - Add new "perconnbwrate" and "perconnbwburst" consensus params to + do individual connection-level rate limiting of clients. The torrc + config options with the same names trump the consensus params, if + both are present. Replaces the old "bwconnrate" and "bwconnburst" + consensus params which were broken from 0.2.2.7-alpha through + 0.2.2.14-alpha. Closes bug 1947. + - New config option "WarnUnsafeSocks 0" disables the warning that + occurs whenever Tor receives a socks handshake using a version of + the socks protocol that can only provide an IP address (rather + than a hostname). Setups that do DNS locally over Tor are fine, + and we shouldn't spam the logs in that case. + - New config option "CircuitStreamTimeout" to override our internal + timeout schedule for how many seconds until we detach a stream from + a circuit and try a new circuit. If your network is particularly + slow, you might want to set this to a number like 60. + - New options for SafeLogging to allow scrubbing only log messages + generated while acting as a relay. Specify "SafeLogging relay" if + you want to ensure that only messages known to originate from + client use of the Tor process will be logged unsafely. + - Time and memory units in the configuration file can now be set to + fractional units. For example, "2.5 GB" is now a valid value for + AccountingMax. + - Support line continuations in the torrc config file. If a line + ends with a single backslash character, the newline is ignored, and + the configuration value is treated as continuing on the next line. + Resolves bug 1929. + + o Minor features (unit tests): + - Revise our unit tests to use the "tinytest" framework, so we + can run tests in their own processes, have smarter setup/teardown + code, and so on. The unit test code has moved to its own + subdirectory, and has been split into multiple modules. + - Add a unit test for cross-platform directory-listing code. + - Add some forgotten return value checks during unit tests. Found + by coverity. + - Use GetTempDir to find the proper temporary directory location on + Windows when generating temporary files for the unit tests. Patch + by Gisle Vanem. + + o Minor features (misc): + - The "torify" script now uses torsocks where available. + - Make Libevent log messages get delivered to controllers later, + and not from inside the Libevent log handler. This prevents unsafe + reentrant Libevent calls while still letting the log messages + get through. + - Certain Tor clients (such as those behind check.torproject.org) may + want to fetch the consensus in an extra early manner. To enable this + a user may now set FetchDirInfoExtraEarly to 1. This also depends on + setting FetchDirInfoEarly to 1. Previous behavior will stay the same + as only certain clients who must have this information sooner should + set this option. + - Expand homedirs passed to tor-checkkey. This should silence a + coverity complaint about passing a user-supplied string into + open() without checking it. + - Make sure to disable DirPort if running as a bridge. DirPorts aren't + used on bridges, and it makes bridge scanning somewhat easier. + - Create the /var/run/tor directory on startup on OpenSUSE if it is + not already created. Patch from Andreas Stieger. Fixes bug 2573. + + o Minor bugfixes (relays): + - When a relay decides that its DNS is too broken for it to serve + as an exit server, it advertised itself as a non-exit, but + continued to act as an exit. This could create accidental + partitioning opportunities for users. Instead, if a relay is + going to advertise reject *:* as its exit policy, it should + really act with exit policy "reject *:*". Fixes bug 2366. + Bugfix on Tor 0.1.2.5-alpha. Bugfix by user "postman" on trac. + - Publish a router descriptor even if generating an extra-info + descriptor fails. Previously we would not publish a router + descriptor without an extra-info descriptor; this can cause fast + exit relays collecting exit-port statistics to drop from the + consensus. Bugfix on 0.1.2.9-rc; fixes bug 2195. + - When we're trying to guess whether we know our IP address as + a relay, we would log various ways that we failed to guess + our address, but never log that we ended up guessing it + successfully. Now add a log line to help confused and anxious + relay operators. Bugfix on 0.1.2.1-alpha; fixes bug 1534. + - For bandwidth accounting, calculate our expected bandwidth rate + based on the time during which we were active and not in + soft-hibernation during the last interval. Previously, we were + also considering the time spent in soft-hibernation. If this + was a long time, we would wind up underestimating our bandwidth + by a lot, and skewing our wakeup time towards the start of the + accounting interval. Fixes bug 1789. Bugfix on 0.0.9pre5. + - Demote a confusing TLS warning that relay operators might get when + someone tries to talk to their ORPort. It is not the operator's + fault, nor can they do anything about it. Fixes bug 1364; bugfix + on 0.2.0.14-alpha. + - Change "Application request when we're believed to be offline." + notice to "Application request when we haven't used client + functionality lately.", to clarify that it's not an error. Bugfix + on 0.0.9.3; fixes bug 1222. + + o Minor bugfixes (bridges): + - When a client starts or stops using bridges, never use a circuit + that was built before the configuration change. This behavior could + put at risk a user who uses bridges to ensure that her traffic + only goes to the chosen addresses. Bugfix on 0.2.0.3-alpha; fixes + bug 3200. + - Do not reset the bridge descriptor download status every time we + re-parse our configuration or get a configuration change. Fixes + bug 3019; bugfix on 0.2.0.3-alpha. + - Users couldn't configure a regular relay to be their bridge. It + didn't work because when Tor fetched the bridge descriptor, it found + that it already had it, and didn't realize that the purpose of the + descriptor had changed. Now we replace routers with a purpose other + than bridge with bridge descriptors when fetching them. Bugfix on + 0.1.1.9-alpha. Fixes bug 1776. + - In the special case where you configure a public exit relay as your + bridge, Tor would be willing to use that exit relay as the last + hop in your circuit as well. Now we fail that circuit instead. + Bugfix on 0.2.0.12-alpha. Fixes bug 2403. Reported by "piebeer". + + o Minor bugfixes (clients): + - We now ask the other side of a stream (the client or the exit) + for more data on that stream when the amount of queued data on + that stream dips low enough. Previously, we wouldn't ask the + other side for more data until either it sent us more data (which + it wasn't supposed to do if it had exhausted its window!) or we + had completely flushed all our queued data. This flow control fix + should improve throughput. Fixes bug 2756; bugfix on the earliest + released versions of Tor (svn commit r152). + - When a client finds that an origin circuit has run out of 16-bit + stream IDs, we now mark it as unusable for new streams. Previously, + we would try to close the entire circuit. Bugfix on 0.0.6. + - Make it explicit that we don't cannibalize one-hop circuits. This + happens in the wild, but doesn't turn out to be a problem because + we fortunately don't use those circuits. Many thanks to outofwords + for the initial analysis and to swissknife who confirmed that + two-hop circuits are actually created. + - Resolve an edge case in path weighting that could make us misweight + our relay selection. Fixes bug 1203; bugfix on 0.0.8rc1. + - Make the DNSPort option work with libevent 2.x. Don't alter the + behaviour for libevent 1.x. Fixes bug 1143. Found by SwissTorExit. + + o Minor bugfixes (directory authorities): + - Make directory authorities more accurate at recording when + relays that have failed several reachability tests became + unreachable, so we can provide more accuracy at assigning Stable, + Guard, HSDir, etc flags. Bugfix on 0.2.0.6-alpha. Resolves bug 2716. + - Directory authorities are now more robust to hops back in time + when calculating router stability. Previously, if a run of uptime + or downtime appeared to be negative, the calculation could give + incorrect results. Bugfix on 0.2.0.6-alpha; noticed when fixing + bug 1035. + - Directory authorities will now attempt to download consensuses + if their own efforts to make a live consensus have failed. This + change means authorities that restart will fetch a valid + consensus, and it means authorities that didn't agree with the + current consensus will still fetch and serve it if it has enough + signatures. Bugfix on 0.2.0.9-alpha; fixes bug 1300. + - Never vote for a server as "Running" if we have a descriptor for + it claiming to be hibernating, and that descriptor was published + more recently than our last contact with the server. Bugfix on + 0.2.0.3-alpha; fixes bug 911. + - Directory authorities no longer change their opinion of, or vote on, + whether a router is Running, unless they have themselves been + online long enough to have some idea. Bugfix on 0.2.0.6-alpha. + Fixes bug 1023. + + o Minor bugfixes (hidden services): + - Log malformed requests for rendezvous descriptors as protocol + warnings, not warnings. Also, use a more informative log message + in case someone sees it at log level warning without prior + info-level messages. Fixes bug 2748; bugfix on 0.2.0.10-alpha. + - Accept hidden service descriptors if we think we might be a hidden + service directory, regardless of what our consensus says. This + helps robustness, since clients and hidden services can sometimes + have a more up-to-date view of the network consensus than we do, + and if they think that the directory authorities list us a HSDir, + we might actually be one. Related to bug 2732; bugfix on + 0.2.0.10-alpha. + - Correct the warning displayed when a rendezvous descriptor exceeds + the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by + John Brooks. + - Clients and hidden services now use HSDir-flagged relays for hidden + service descriptor downloads and uploads even if the relays have no + DirPort set and the client has disabled TunnelDirConns. This will + eventually allow us to give the HSDir flag to relays with no + DirPort. Fixes bug 2722; bugfix on 0.2.1.6-alpha. + - Only limit the lengths of single HS descriptors, even when multiple + HS descriptors are published to an HSDir relay in a single POST + operation. Fixes bug 2948; bugfix on 0.2.1.5-alpha. Found by hsdir. + + o Minor bugfixes (controllers): + - Allow GETINFO fingerprint to return a fingerprint even when + we have not yet built a router descriptor. Fixes bug 3577; + bugfix on 0.2.0.1-alpha. + - Send a SUCCEEDED stream event to the controller when a reverse + resolve succeeded. Fixes bug 3536; bugfix on 0.0.8pre1. Issue + discovered by katmagic. + - Remove a trailing asterisk from "exit-policy/default" in the + output of the control port command "GETINFO info/names". Bugfix + on 0.1.2.5-alpha. + - Make the SIGNAL DUMP controller command work on FreeBSD. Fixes bug + 2917. Bugfix on 0.1.1.1-alpha. + - When we restart our relay, we might get a successful connection + from the outside before we've started our reachability tests, + triggering a warning: "ORPort found reachable, but I have no + routerinfo yet. Failing to inform controller of success." This + bug was harmless unless Tor is running under a controller + like Vidalia, in which case the controller would never get a + REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha; + fixes bug 1172. + - When a controller changes TrackHostExits, remove mappings for + hosts that should no longer have their exits tracked. Bugfix on + 0.1.0.1-rc. + - When a controller changes VirtualAddrNetwork, remove any mappings + for hosts that were automapped to the old network. Bugfix on + 0.1.1.19-rc. + - When a controller changes one of the AutomapHosts* options, remove + any mappings for hosts that should no longer be automapped. Bugfix + on 0.2.0.1-alpha. + - Fix an off-by-one error in calculating some controller command + argument lengths. Fortunately, this mistake is harmless since + the controller code does redundant NUL termination too. Found by + boboper. Bugfix on 0.1.1.1-alpha. + - Fix a bug in the controller interface where "GETINFO ns/asdaskljkl" + would return "551 Internal error" rather than "552 Unrecognized key + ns/asdaskljkl". Bugfix on 0.1.2.3-alpha. + - Don't spam the controller with events when we have no file + descriptors available. Bugfix on 0.2.1.5-alpha. (Rate-limiting + for log messages was already solved from bug 748.) + - Emit a GUARD DROPPED controller event for a case we missed. + - Ensure DNS requests launched by "RESOLVE" commands from the + controller respect the __LeaveStreamsUnattached setconf options. The + same goes for requests launched via DNSPort or transparent + proxying. Bugfix on 0.2.0.1-alpha; fixes bug 1525. + + o Minor bugfixes (config options): + - Tor used to limit HttpProxyAuthenticator values to 48 characters. + Change the limit to 512 characters by removing base64 newlines. + Fixes bug 2752. Fix by Michael Yakubovich. + - Complain if PublishServerDescriptor is given multiple arguments that + include 0 or 1. This configuration will be rejected in the future. + Bugfix on 0.2.0.1-alpha; closes bug 1107. + - Disallow BridgeRelay 1 and ORPort 0 at once in the configuration. + Bugfix on 0.2.0.13-alpha; closes bug 928. + + o Minor bugfixes (log subsystem fixes): + - When unable to format an address as a string, report its value + as "???" rather than reusing the last formatted address. Bugfix + on 0.2.1.5-alpha. + - Be more consistent in our treatment of file system paths. "~" should + get expanded to the user's home directory in the Log config option. + Fixes bug 2971; bugfix on 0.2.0.1-alpha, which introduced the + feature for the -f and --DataDirectory options. + + o Minor bugfixes (memory management): + - Don't stack-allocate the list of supplementary GIDs when we're + about to log them. Stack-allocating NGROUPS_MAX gid_t elements + could take up to 256K, which is way too much stack. Found by + Coverity; CID #450. Bugfix on 0.2.1.7-alpha. + - Save a couple bytes in memory allocation every time we escape + certain characters in a string. Patch from Florian Zumbiehl. + + o Minor bugfixes (protocol correctness): + - When checking for 1024-bit keys, check for 1024 bits, not 128 + bytes. This allows Tor to correctly discard keys of length 1017 + through 1023. Bugfix on 0.0.9pre5. + - Require that introduction point keys and onion handshake keys + have a public exponent of 65537. Starts to fix bug 3207; bugfix + on 0.2.0.10-alpha. + - Handle SOCKS messages longer than 128 bytes long correctly, rather + than waiting forever for them to finish. Fixes bug 2330; bugfix + on 0.2.0.16-alpha. Found by doorss. + - Never relay a cell for a circuit we have already destroyed. + Between marking a circuit as closeable and finally closing it, + it may have been possible for a few queued cells to get relayed, + even though they would have been immediately dropped by the next + OR in the circuit. Fixes bug 1184; bugfix on 0.2.0.1-alpha. + - Never queue a cell for a circuit that's already been marked + for close. + - Fix a spec conformance issue: the network-status-version token + must be the first token in a v3 consensus or vote. Discovered by + "parakeep". Bugfix on 0.2.0.3-alpha. + - A networkstatus vote must contain exactly one signature. Spec + conformance issue. Bugfix on 0.2.0.3-alpha. + - When asked about a DNS record type we don't support via a + client DNSPort, reply with NOTIMPL rather than an empty + reply. Patch by intrigeri. Fixes bug 3369; bugfix on 2.0.1-alpha. + - Make more fields in the controller protocol case-insensitive, since + control-spec.txt said they were. + + o Minor bugfixes (log messages): + - Fix a log message that said "bits" while displaying a value in + bytes. Found by wanoskarnet. Fixes bug 3318; bugfix on + 0.2.0.1-alpha. + - Downgrade "no current certificates known for authority" message from + Notice to Info. Fixes bug 2899; bugfix on 0.2.0.10-alpha. + - Correctly describe errors that occur when generating a TLS object. + Previously we would attribute them to a failure while generating a + TLS context. Patch by Robert Ransom. Bugfix on 0.1.0.4-rc; fixes + bug 1994. + - Fix an instance where a Tor directory mirror might accidentally + log the IP address of a misbehaving Tor client. Bugfix on + 0.1.0.1-rc. + - Stop logging at severity 'warn' when some other Tor client tries + to establish a circuit with us using weak DH keys. It's a protocol + violation, but that doesn't mean ordinary users need to hear about + it. Fixes the bug part of bug 1114. Bugfix on 0.1.0.13. + - If your relay can't keep up with the number of incoming create + cells, it would log one warning per failure into your logs. Limit + warnings to 1 per minute. Bugfix on 0.0.2pre10; fixes bug 1042. + + o Minor bugfixes (build fixes): + - Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option. + - When warning about missing zlib development packages during compile, + give the correct package names. Bugfix on 0.2.0.1-alpha. + - Fix warnings that newer versions of autoconf produce during + ./autogen.sh. These warnings appear to be harmless in our case, + but they were extremely verbose. Fixes bug 2020. + - Squash a compile warning on OpenBSD. Reported by Tas; fixes + bug 1848. + + o Minor bugfixes (portability): + - Write several files in text mode, on OSes that distinguish text + mode from binary mode (namely, Windows). These files are: + 'buffer-stats', 'dirreq-stats', and 'entry-stats' on relays + that collect those statistics; 'client_keys' and 'hostname' for + hidden services that use authentication; and (in the tor-gencert + utility) newly generated identity and signing keys. Previously, + we wouldn't specify text mode or binary mode, leading to an + assertion failure. Fixes bug 3607. Bugfix on 0.2.1.1-alpha (when + the DirRecordUsageByCountry option which would have triggered + the assertion failure was added), although this assertion failure + would have occurred in tor-gencert on Windows in 0.2.0.1-alpha. + - Selectively disable deprecation warnings on OS X because Lion + started deprecating the shipped copy of openssl. Fixes bug 3643. + - Use a wide type to hold sockets when built for 64-bit Windows. + Fixes bug 3270. + - Fix an issue that prevented static linking of libevent on + some platforms (notably Linux). Fixes bug 2698; bugfix on 0.2.1.23, + where we introduced the "--with-static-libevent" configure option. + - Fix a bug with our locking implementation on Windows that couldn't + correctly detect when a file was already locked. Fixes bug 2504, + bugfix on 0.2.1.6-alpha. + - Build correctly on OSX with zlib 1.2.4 and higher with all warnings + enabled. + - Fix IPv6-related connect() failures on some platforms (BSD, OS X). + Bugfix on 0.2.0.3-alpha; fixes first part of bug 2660. Patch by + "piebeer". + + o Minor bugfixes (code correctness): + - Always NUL-terminate the sun_path field of a sockaddr_un before + passing it to the kernel. (Not a security issue: kernels are + smart enough to reject bad sockaddr_uns.) Found by Coverity; + CID #428. Bugfix on Tor 0.2.0.3-alpha. + - Make connection_printf_to_buf()'s behaviour sane. Its callers + expect it to emit a CRLF iff the format string ends with CRLF; + it actually emitted a CRLF iff (a) the format string ended with + CRLF or (b) the resulting string was over 1023 characters long or + (c) the format string did not end with CRLF *and* the resulting + string was 1021 characters long or longer. Bugfix on 0.1.1.9-alpha; + fixes part of bug 3407. + - Make send_control_event_impl()'s behaviour sane. Its callers + expect it to always emit a CRLF at the end of the string; it + might have emitted extra control characters as well. Bugfix on + 0.1.1.9-alpha; fixes another part of bug 3407. + - Make crypto_rand_int() check the value of its input correctly. + Previously, it accepted values up to UINT_MAX, but could return a + negative number if given a value above INT_MAX+1. Found by George + Kadianakis. Fixes bug 3306; bugfix on 0.2.2pre14. + - Fix a potential null-pointer dereference while computing a + consensus. Bugfix on tor-0.2.0.3-alpha, found with the help of + clang's analyzer. + - If we fail to compute the identity digest of a v3 legacy keypair, + warn, and don't use a buffer-full of junk instead. Bugfix on + 0.2.1.1-alpha; fixes bug 3106. + - Resolve an untriggerable issue in smartlist_string_num_isin(), + where if the function had ever in the future been used to check + for the presence of a too-large number, it would have given an + incorrect result. (Fortunately, we only used it for 16-bit + values.) Fixes bug 3175; bugfix on 0.1.0.1-rc. + - Be more careful about reporting the correct error from a failed + connect() system call. Under some circumstances, it was possible to + look at an incorrect value for errno when sending the end reason. + Bugfix on 0.1.0.1-rc. + - Correctly handle an "impossible" overflow cases in connection byte + counting, where we write or read more than 4GB on an edge connection + in a single second. Bugfix on 0.1.2.8-beta. + - Avoid a double mark-for-free warning when failing to attach a + transparent proxy connection. Bugfix on 0.1.2.1-alpha. Fixes + bug 2279. + - Correctly detect failure to allocate an OpenSSL BIO. Fixes bug 2378; + found by "cypherpunks". This bug was introduced before the first + Tor release, in svn commit r110. + - Fix a bug in bandwidth history state parsing that could have been + triggered if a future version of Tor ever changed the timing + granularity at which bandwidth history is measured. Bugfix on + Tor 0.1.1.11-alpha. + - Add assertions to check for overflow in arguments to + base32_encode() and base32_decode(); fix a signed-unsigned + comparison there too. These bugs are not actually reachable in Tor, + but it's good to prevent future errors too. Found by doorss. + - Avoid a bogus overlapped memcpy in tor_addr_copy(). Reported by + "memcpyfail". + - Set target port in get_interface_address6() correctly. Bugfix + on 0.1.1.4-alpha and 0.2.0.3-alpha; fixes second part of bug 2660. + - Fix an impossible-to-actually-trigger buffer overflow in relay + descriptor generation. Bugfix on 0.1.0.15. + - Fix numerous small code-flaws found by Coverity Scan Rung 3. + + o Minor bugfixes (code improvements): + - After we free an internal connection structure, overwrite it + with a different memory value than we use for overwriting a freed + internal circuit structure. Should help with debugging. Suggested + by bug 1055. + - If OpenSSL fails to make a duplicate of a private or public key, log + an error message and try to exit cleanly. May help with debugging + if bug 1209 ever remanifests. + - Some options used different conventions for uppercasing of acronyms + when comparing manpage and source. Fix those in favor of the + manpage, as it makes sense to capitalize acronyms. + - Take a first step towards making or.h smaller by splitting out + function definitions for all source files in src/or/. Leave + structures and defines in or.h for now. + - Remove a few dead assignments during router parsing. Found by + coverity. + - Don't use 1-bit wide signed bit fields. Found by coverity. + - Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned. + None of the cases where we did this before were wrong, but by making + this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28. + - The memarea code now uses a sentinel value at the end of each area + to make sure nothing writes beyond the end of an area. This might + help debug some conceivable causes of bug 930. + - Always treat failure to allocate an RSA key as an unrecoverable + allocation error. + - Add some more defensive programming for architectures that can't + handle unaligned integer accesses. We don't know of any actual bugs + right now, but that's the best time to fix them. Fixes bug 1943. + + o Minor bugfixes (misc): + - Fix a rare bug in rend_fn unit tests: we would fail a test when + a randomly generated port is 0. Diagnosed by Matt Edman. Bugfix + on 0.2.0.10-alpha; fixes bug 1808. + - Where available, use Libevent 2.0's periodic timers so that our + once-per-second cleanup code gets called even more closely to + once per second than it would otherwise. Fixes bug 943. + - Ignore OutboundBindAddress when connecting to localhost. + Connections to localhost need to come _from_ localhost, or else + local servers (like DNS and outgoing HTTP/SOCKS proxies) will often + refuse to listen. + - Update our OpenSSL 0.9.8l fix so that it works with OpenSSL 0.9.8m + too. + - If any of the v3 certs we download are unparseable, we should + actually notice the failure so we don't retry indefinitely. Bugfix + on 0.2.0.x; reported by "rotator". + - When Tor fails to parse a descriptor of any kind, dump it to disk. + Might help diagnosing bug 1051. + - Make our 'torify' script more portable; if we have only one of + 'torsocks' or 'tsocks' installed, don't complain to the user; + and explain our warning about tsocks better. + - Fix some urls in the exit notice file and make it XHTML1.1 strict + compliant. Based on a patch from Christian Kujau. + + o Documentation changes: + - Modernize the doxygen configuration file slightly. Fixes bug 2707. + - Resolve all doxygen warnings except those for missing documentation. + Fixes bug 2705. + - Add doxygen documentation for more functions, fields, and types. + - Convert the HACKING file to asciidoc, and add a few new sections + to it, explaining how we use Git, how we make changelogs, and + what should go in a patch. + - Document the default socks host and port (127.0.0.1:9050) for + tor-resolve. + - Removed some unnecessary files from the source distribution. The + AUTHORS file has now been merged into the people page on the + website. The roadmaps and design doc can now be found in the + projects directory in svn. + + o Deprecated and removed features (config): + - Remove the torrc.complete file. It hasn't been kept up to date + and users will have better luck checking out the manpage. + - Remove the HSAuthorityRecordStats option that version 0 hidden + service authorities could use to track statistics of overall v0 + hidden service usage. + - Remove the obsolete "NoPublish" option; it has been flagged + as obsolete and has produced a warning since 0.1.1.18-rc. + - Caches no longer download and serve v2 networkstatus documents + unless FetchV2Networkstatus flag is set: these documents haven't + haven't been used by clients or relays since 0.2.0.x. Resolves + bug 3022. + + o Deprecated and removed features (controller): + - The controller no longer accepts the old obsolete "addr-mappings/" + or "unregistered-servers-" GETINFO values. + - The EXTENDED_EVENTS and VERBOSE_NAMES controller features are now + always on; using them is necessary for correct forward-compatible + controllers. + + o Deprecated and removed features (misc): + - Hidden services no longer publish version 0 descriptors, and clients + do not request or use version 0 descriptors. However, the old hidden + service authorities still accept and serve version 0 descriptors + when contacted by older hidden services/clients. + - Remove undocumented option "-F" from tor-resolve: it hasn't done + anything since 0.2.1.16-rc. + - Remove everything related to building the expert bundle for OS X. + It has confused many users, doesn't work right on OS X 10.6, + and is hard to get rid of once installed. Resolves bug 1274. + - Remove support for .noconnect style addresses. Nobody was using + them, and they provided another avenue for detecting Tor users + via application-level web tricks. + - When we fixed bug 1038 we had to put in a restriction not to send + RELAY_EARLY cells on rend circuits. This was necessary as long + as relays using Tor 0.2.1.3-alpha through 0.2.1.18-alpha were + active. Now remove this obsolete check. Resolves bug 2081. + - Remove workaround code to handle directory responses from servers + that had bug 539 (they would send HTTP status 503 responses _and_ + send a body too). Since only server versions before + 0.2.0.16-alpha/0.1.2.19 were affected, there is no longer reason to + keep the workaround in place. + - Remove the old 'fuzzy time' logic. It was supposed to be used for + handling calculations where we have a known amount of clock skew and + an allowed amount of unknown skew. But we only used it in three + places, and we never adjusted the known/unknown skew values. This is + still something we might want to do someday, but if we do, we'll + want to do it differently. + - Remove the "--enable-iphone" option to ./configure. According to + reports from Marco Bonetti, Tor builds fine without any special + tweaking on recent iPhone SDK versions. + + Changes in version 0.2.1.30 - 2011-02-23 Tor 0.2.1.30 fixes a variety of less critical bugs. The main other change is a slight tweak to Tor's TLS handshake that makes relays @@ -1972,6 +3730,8 @@ Changes in version 0.2.0.30 - 2008-07-15 warning "-Wshorten-64-to-32" is available. - Support compilation to target iPhone; patch from cjacker huang. To build for iPhone, pass the --enable-iphone option to configure. + - Port Tor to build and run on Windows CE systems, using the wcecompat + library. Contributed by Valerio Lupi. - Detect non-ASCII platforms (if any still exist) and refuse to build there: some of our code assumes that 'A' is 65 and so on. - Clear up some MIPSPro compiler warnings. diff --git a/changes/abandon-rend-circs-on-newnym b/changes/abandon-rend-circs-on-newnym deleted file mode 100644 index 67cb2dce2f..0000000000 --- a/changes/abandon-rend-circs-on-newnym +++ /dev/null @@ -1,8 +0,0 @@ - o Security fixes: - - Don't attach new streams to old rendezvous circuits after SIGNAL - NEWNYM. Previously, we would keep using an existing rendezvous - circuit if it remained open (i.e. if it were kept open by a - long-lived stream or if a new stream were attached to it before - Tor could notice that it was old and no longer in use and close - it). Bugfix on 0.1.1.15-rc; fixes bug 3375. - diff --git a/changes/bridgepassword b/changes/bridgepassword deleted file mode 100644 index 5f0e250ff6..0000000000 --- a/changes/bridgepassword +++ /dev/null @@ -1,11 +0,0 @@ - o Security fixes: - - When using the debuging BridgePassword field, a bridge authority - now compares alleged passwords by hashing them, then comparing - the result to a digest of the expected authenticator. This avoids - a potential side-channel attack in the previous code, which - had foolishly used strcmp(). Fortunately, the BridgePassword field - *is not in use*, but if it had been, the timing - behavior of strcmp() might have allowed an adversary to guess the - BridgePassword value, and enumerate the bridges. Bugfix on - 0.2.0.14-alpha. Fixes bug 5543. - diff --git a/changes/buffer_bug b/changes/buffer_bug deleted file mode 100644 index 634f609533..0000000000 --- a/changes/buffer_bug +++ /dev/null @@ -1,7 +0,0 @@ - - o Major bugfixes: - - Fix a heap overflow bug that could occur when trying to pull - data into the first chunk of a buffer, when that chunk had - already had some data drained from it. Fixes CVE-2011-2778; - bugfix on 0.2.0.16-alpha. Reported by "Vektor". - diff --git a/changes/bug1240 b/changes/bug1240 deleted file mode 100644 index 657066491c..0000000000 --- a/changes/bug1240 +++ /dev/null @@ -1,8 +0,0 @@ - o Minor bugfixes: - - When running with an older Linux kernel that erroneously responds - to strange nmap behavior by having accept() return successfully - with a zero-length socket, just close the connection. Previously, - we would try harder to learn the remote address: but there was no - such remote address to learn, and our method for trying to learn - it was incorrect. Fixes bugs #1240, #4745, and #4747. Bugfix on - 0.1.0.3-rc. Reported and diagnosed by "r1eo". diff --git a/changes/bug1297a b/changes/bug1297a deleted file mode 100644 index 140b94e3b0..0000000000 --- a/changes/bug1297a +++ /dev/null @@ -1,16 +0,0 @@ - o Major bugfixes: - - Apply circuit timeouts to opened hidden-service-related circuits - based on the correct start time. Previously, we would apply the - circuit build timeout based on time since the circuit's - creation; it was supposed to be applied based on time since the - circuit entered its current state. Bugfix on 0.0.6; fixes part - of bug 1297. - - Use the same circuit timeout for client-side introduction - circuits as for other four-hop circuits. Previously, - client-side introduction circuits were closed after the same - timeout as single-hop directory-fetch circuits; this was - appropriate with the static circuit build timeout in 0.2.1.x and - earlier, but caused many hidden service access attempts to fail - with the adaptive CBT introduced in 0.2.2.2-alpha. Bugfix on - 0.2.2.2-alpha; fixes another part of bug 1297. - diff --git a/changes/bug1345 b/changes/bug1345 deleted file mode 100644 index 0c9375a35d..0000000000 --- a/changes/bug1345 +++ /dev/null @@ -1,13 +0,0 @@ - o Minor bugfixes: - - On SIGHUP, do not clear out all TrackHostExits mappings, client DNS - cache entries, and virtual address mappings: that's what NEWNYM is - for. Bugfix on Tor 0.1.0.1-rc; fixes bug 1345. - - When TrackHostExits is changed from a controller, remove any - mappings for hosts that should no longer have their exits tracked. - Bugfix on Tor 0.1.0.1-rc. - - When VirtualAddrNetwork option is changed from a controller, - remove any mappings for hosts that were automapped to - that network. Bugfix on 0.1.1.19-rc. - - When one of the AutomapHosts* options is changed from a - controller, remove any mappings for hosts that should no longer be - automapped. Bugfix on 0.2.0.1-alpha. diff --git a/changes/bug1352 b/changes/bug1352 deleted file mode 100644 index bde0192401..0000000000 --- a/changes/bug1352 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features - - Rate-limit a warning about failures to download v2 networkstatus - documents. Resolves part of bug 1352. - diff --git a/changes/bug1810 b/changes/bug1810 deleted file mode 100644 index 11e561f7cf..0000000000 --- a/changes/bug1810 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes: - - Don't decide to make a new descriptor when receiving a HUP signal. - This bug has caused a lot of relays to disappear from the consensus - periodically. Fixes the most common case of triggering bug 1810; - bugfix on 0.2.2.7-alpha. - diff --git a/changes/bug2355 b/changes/bug2355 deleted file mode 100644 index ee0ae4b96a..0000000000 --- a/changes/bug2355 +++ /dev/null @@ -1,8 +0,0 @@ - o Major features: - - If "UseBridges 1" is set and no bridges are configured, Tor will - now refuse to build any circuits until some bridges are set. - If "UseBridges auto" is set, Tor will use bridges if they are - configured and we are not running as a server, but otherwise - will make circuits as usual. The new default is "auto". Patch - by anonym. - diff --git a/changes/bug2355_revert b/changes/bug2355_revert deleted file mode 100644 index 2ded40ad8e..0000000000 --- a/changes/bug2355_revert +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes: - - Revert the UseBridges option to its behavior before 0.2.2.28-beta. - When we changed the default behavior to "use bridges if any are - listed in the torrc", we broke a number of users who had bridges - in their torrc files but who didn't actually want to use them. - Partial resolution for bug 3354. - diff --git a/changes/bug2442 b/changes/bug2442 deleted file mode 100644 index cbcc22bb80..0000000000 --- a/changes/bug2442 +++ /dev/null @@ -1,8 +0,0 @@ - * Minor bugfixes: - - - Demote the 'replay detected' log message emitted when a hidden - service receives the same Diffie-Hellman public key in two - different INTRODUCE2 cells to info level. A normal Tor client - can cause that log message during its normal operation. Bugfix - on 0.2.1.6-alpha; fixes part of bug 2442. - diff --git a/changes/bug2442b b/changes/bug2442b deleted file mode 100644 index 02e1636e91..0000000000 --- a/changes/bug2442b +++ /dev/null @@ -1,8 +0,0 @@ - * Minor bugfixes: - - - Demote the 'INTRODUCE2 cell is too {old,new}' log message to - info level. There is nothing that a hidden service's operator - can do to fix its clients' clocks. Bugfix on 0.2.1.6-alpha; - fixes part of bug 2442. - - diff --git a/changes/bug2503 b/changes/bug2503 deleted file mode 100644 index 50b8bf50c2..0000000000 --- a/changes/bug2503 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - When an HTTPS proxy reports "403 Forbidden", we now explain - what it means rather than calling it an unexpected status code. - Closes bug 2503. Patch from "mikey". diff --git a/changes/bug2574 b/changes/bug2574 deleted file mode 100644 index 5cf2daebfa..0000000000 --- a/changes/bug2574 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Allow nameservers with IPv6 address. Fixes bug 2574. - diff --git a/changes/bug2649a b/changes/bug2649a deleted file mode 100644 index 4ee31ebdb6..0000000000 --- a/changes/bug2649a +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features: - - Add a VoteOnHidServDirectoriesV2 configuration option to allow - directory authorities to abstain from voting on assignment of - the HSDir consensus flag. Related to bug 2649. - diff --git a/changes/bug2649b b/changes/bug2649b deleted file mode 100644 index 1ff14e5569..0000000000 --- a/changes/bug2649b +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Change the default required uptime for a relay to be accepted as - a HSDir from 24 hours to 25 hours. Bugfix on 0.2.0.10-alpha; - fixes bug 2649. - diff --git a/changes/bug2732-simple b/changes/bug2732-simple deleted file mode 100644 index 367836152d..0000000000 --- a/changes/bug2732-simple +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes - - Do not reject hidden service descriptors simply because we don't - think we have not been assigned the HSDir flag. Clients and - hidden services can have a more up-to-date view of the network - consensus, and if they think that the directory authorities - list us a HSDir, we might actually be one. Related to bug 2732; - bugfix on 0.2.0.10-alpha. diff --git a/changes/bug2748 b/changes/bug2748 deleted file mode 100644 index b522560a92..0000000000 --- a/changes/bug2748 +++ /dev/null @@ -1,10 +0,0 @@ - o Minor bugfixes - - Remove dead code from rend_cache_lookup_v2_desc_as_dir. Fixes - part of bug 2748; bugfix on 0.2.0.10-alpha. - - Log malformed requests for rendezvous descriptors as protocol - warnings, not warnings. Also, use a more informative log - message in case someone sees it at log level warning without - prior info-level messages. Fixes the other part of bug 2748; - bugfix on 0.2.0.10-alpha. - - diff --git a/changes/bug2752 b/changes/bug2752 deleted file mode 100644 index b872d3374a..0000000000 --- a/changes/bug2752 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features: - - Tor used to limit HttpProxyAuthenticator values to 48 characters. - Changed the limit to 512 characters by removing base64 newlines. - Fixes bug 2752. Fix by Michael Yakubovich. - diff --git a/changes/bug2792_checkdir b/changes/bug2792_checkdir deleted file mode 100644 index 10de1deb2d..0000000000 --- a/changes/bug2792_checkdir +++ /dev/null @@ -1,8 +0,0 @@ - o Minor features: - - Tor now refuses to create a ControlSocket in a directory that is - world-readable (or group-readable if ControlSocketsGroupWritable - is 0). This is necessary because some operating systems do not - check the permissions on an AF_UNIX socket when programs try to - connect to it. Checking permissions on the directory holding - the socket, however, seems to work everywhere. - diff --git a/changes/bug2850 b/changes/bug2850 deleted file mode 100644 index 77ccbfa25d..0000000000 --- a/changes/bug2850 +++ /dev/null @@ -1,5 +0,0 @@ - - Minor features - o Set SO_REUSEADDR on all sockets, not just listeners. This should - help busy exit nodes avoid running out of useable ports just because - all the ports have been used in the near past. Resolves issue 2850. - diff --git a/changes/bug2972 b/changes/bug2972 deleted file mode 100644 index 26afcca421..0000000000 --- a/changes/bug2972 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features: - - Allow ControlSockets to be group-writable when the - ControlSocksGroupWritable configuration option is turned on. Patch - by Jérémy Bobbio; implements ticket 2972. - diff --git a/changes/bug3019 b/changes/bug3019 deleted file mode 100644 index 4df709fb3b..0000000000 --- a/changes/bug3019 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Do not reset the bridge descriptor download status every time we - re-parse our configuration or get a configuration change. Fixes - bug 3019; bugfix on Tor 0.2.0.3-alpha. diff --git a/changes/bug3022 b/changes/bug3022 deleted file mode 100644 index 9472e6d196..0000000000 --- a/changes/bug3022 +++ /dev/null @@ -1,6 +0,0 @@ - o Removed features - - Caches no longer download and serve v2 networkstatus documents - unless FetchV2Networkstatus flag is set: these documents haven't - haven't been used by clients or relays since 0.2.0.x. Resolves - bug 3022. - diff --git a/changes/bug3026 b/changes/bug3026 deleted file mode 100644 index c0c0a3860a..0000000000 --- a/changes/bug3026 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (directory authority) - - Do not upload our own vote or signature set to ourself. It would - tell us nothing new. Also, as of Tor 0.2.2.24-alpha, we started - to warn about receiving duplicate votes. Resolves bug 3026. diff --git a/changes/bug3045 b/changes/bug3045 deleted file mode 100644 index 1cbcabaff6..0000000000 --- a/changes/bug3045 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor features: - - Revise most log messages that refer to nodes by nickname to - instead use the "$key=nickname at address" format. This should be - more useful, especially since nicknames are less and less likely - to be unique. Fixes bug 3045. - diff --git a/changes/bug3122_memcmp b/changes/bug3122_memcmp deleted file mode 100644 index a049476743..0000000000 --- a/changes/bug3122_memcmp +++ /dev/null @@ -1,7 +0,0 @@ - o Security fixes - - Replace all potentially sensitive memory comparison operations - with versions whose runtime does not depend on the data being - compared. This will help resist a class of attacks where an - adversary can use variations in timing information to learn - sensitive data. Fix for one case of bug 3122. (Safe memcmp - implementation by Robert Ransom based partially on code by DJB.) diff --git a/changes/bug3135 b/changes/bug3135 deleted file mode 100644 index d761123480..0000000000 --- a/changes/bug3135 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes - - Do not crash when our configuration file becomes unreadable - (usually due to a permissions change) between when we start - up and when a controller calls SAVECONF. Fixes bug 3135; - bugfix on 0.0.9pre6. - diff --git a/changes/bug3175 b/changes/bug3175 deleted file mode 100644 index 3360fbce00..0000000000 --- a/changes/bug3175 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes: - - Resolve an untriggerable issue in smartlist_string_num_isin(), - where if the function had ever in the future been used to check - for the presence of a too-large number, it would have given an - incorrect result. (Fortunately, we only used it for 16-bit - values.) Fixes bug 3175; bugfix on Tor 0.1.0.1-rc. - diff --git a/changes/bug3198 b/changes/bug3198 deleted file mode 100644 index 29c16852e1..0000000000 --- a/changes/bug3198 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes: - - When we configure a new bridge via the controller, don't wait up - to ten seconds before trying to fetch its descriptor. Bugfix on - 0.2.0.3-alpha; fixes bug 3198 (suggested by 2355). diff --git a/changes/bug3200 b/changes/bug3200 deleted file mode 100644 index a80d51633e..0000000000 --- a/changes/bug3200 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - When a client starts or stops using bridges, never use a circuit - that was built before the configuration change. This behavior could - put at risk a user who uses bridges to ensure that her traffic - only goes to the chosen addresses. Bugfix on 0.2.0.3-alpha; fixes - bug 3200. diff --git a/changes/bug3207 b/changes/bug3207 deleted file mode 100644 index 65a7dac1ab..0000000000 --- a/changes/bug3207 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Require that onion keys have exponent 65537 in microdescriptors too. - Fixes part of bug 3207; bugfix on 0.2.2.25-alpha - diff --git a/changes/bug3208 b/changes/bug3208 deleted file mode 100644 index fd737ba695..0000000000 --- a/changes/bug3208 +++ /dev/null @@ -1,6 +0,0 @@ - o Removed options: - - Remove undocumented option "-F" from tor-resolve: it hasn't done - anything since 0.2.1.16-rc. - - o Minor bugfixes: - - Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option. diff --git a/changes/bug3213 b/changes/bug3213 deleted file mode 100644 index ab7de2d629..0000000000 --- a/changes/bug3213 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes: - - Fix a crash bug when changing bridges in a running Tor process. - Fixes bug 3213; bugfix on 0.2.2.26-beta. - diff --git a/changes/bug3216 b/changes/bug3216 deleted file mode 100644 index 599b5e162f..0000000000 --- a/changes/bug3216 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes: - - Don't try to build descriptors if "ORPort auto" is set and we - don't know our actual ORPort yet. Fix for bug 3216; bugfix on - 0.2.2.26-beta. diff --git a/changes/bug3228 b/changes/bug3228 deleted file mode 100644 index 4aca810d3c..0000000000 --- a/changes/bug3228 +++ /dev/null @@ -1,3 +0,0 @@ - o Major bugfixes: - - Resolve a crash that occured when setting BridgeRelay to 1 with - accounting enabled. Fixes bug 3228; bugfix on 0.2.2.18-alpha. diff --git a/changes/bug3252 b/changes/bug3252 deleted file mode 100644 index f85f633fbd..0000000000 --- a/changes/bug3252 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Relays now log the reason for publishing a new relay descriptor, - so we have a better chance of hunting down the root cause of bug - 1810. Resolves ticket 3252. diff --git a/changes/bug3270 b/changes/bug3270 deleted file mode 100644 index b37bb983cc..0000000000 --- a/changes/bug3270 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes - - Use a wide type to hold sockets when built for 64-bit Windows builds. - Fixes bug 3270. - diff --git a/changes/bug3289 b/changes/bug3289 deleted file mode 100644 index c469796d6e..0000000000 --- a/changes/bug3289 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Warn when the user configures two HiddenServiceDir lines that point - to the same directory. Bugfix on 0.0.6 (the version introducing - HiddenServiceDir); fixes bug 3289. - diff --git a/changes/bug3306 b/changes/bug3306 deleted file mode 100644 index f868a24af0..0000000000 --- a/changes/bug3306 +++ /dev/null @@ -1,9 +0,0 @@ - o Minor bugfixes: - - Make our crypto_rand_int() function check the value of its input - correctly. Previously, it accepted values up to UINT_MAX, but - could return a negative number if given a value above INT_MAX+1. - Found by George Kadianakis. Fixes bug 3306; bugfix on 0.2.2pre14. - - - Avoid a segfault when reading a malformed circuit build state - with more than INT_MAX entries. Found by wanoskarnet. Bugfix on - 0.2.2.4-alpha. diff --git a/changes/bug3309 b/changes/bug3309 deleted file mode 100644 index 104056d8e3..0000000000 --- a/changes/bug3309 +++ /dev/null @@ -1,13 +0,0 @@ - o Minor bugfixes: - - Clear the table recording the time of the last request for each - hidden service descriptor from each HS directory on SIGNAL - NEWNYM. Previously, we would clear our HS descriptor cache on - SIGNAL NEWNYM, but if we had previously retrieved a descriptor - (or tried to) from every directory responsible for it, we would - refuse to fetch it again for up to 15 minutes. Bugfix on - 0.2.2.25-alpha; fixes bug 3309. - - o Minor features: - - Log (at info level) when purging pieces of hidden-service-client - state on SIGNAL NEWNYM. - diff --git a/changes/bug3318 b/changes/bug3318 deleted file mode 100644 index 8a3c27825f..0000000000 --- a/changes/bug3318 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes: - - Fix a log message that said "bits" while displaying a value in - bytes. Found by wanoskarnet. Fixes bug 3318; bugfix on - 0.2.0.1-alpha. - - When checking for 1024-bit keys, check for 1024 bits, not 128 - bytes. This allows Tor to correctly discard keys of length - 1017 through 1023. Bugfix on 0.0.9pre5. diff --git a/changes/bug3321 b/changes/bug3321 deleted file mode 100644 index 3605efce2d..0000000000 --- a/changes/bug3321 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes: - - In bug 2511 we fixed a case where you could use an unconfigured - bridge if you had configured it as a bridge the last time you ran - Tor. Now fix another edge case: if you had configured it as a bridge - but then switched to a different bridge via the controller, you - would still be willing to use the old one. Bugfix on 0.2.0.1-alpha; - fixes bug 3321. diff --git a/changes/bug3369 b/changes/bug3369 deleted file mode 100644 index 9c0d0e699a..0000000000 --- a/changes/bug3369 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - When asked about a DNS record type we don't support via a - client DNSPort, reply with NOTIMPL rather than an empty - reply. Patch by intrigeri. Fixes bug 3369; bugfix on 2.0.1-alpha. diff --git a/changes/bug3393 b/changes/bug3393 deleted file mode 100644 index 677bcb7be2..0000000000 --- a/changes/bug3393 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Fix a bug when using ControlSocketsGroupWritable with User. The - directory's group would be checked against the current group, not - the configured group. Patch by Jérémy Bobbio. Fixes bug3393; bugfix - on Tor 0.2.2.26-beta.
\ No newline at end of file diff --git a/changes/bug3465-022 b/changes/bug3465-022 deleted file mode 100644 index 2d226162aa..0000000000 --- a/changes/bug3465-022 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - - Add BUILDTIMEOUT_SET to the list returned by the 'GETINFO - events/names' control-port command. Bugfix on 0.2.2.9-alpha; - fixes part of bug 3465. - diff --git a/changes/bug3536 b/changes/bug3536 deleted file mode 100644 index d3cec131ba..0000000000 --- a/changes/bug3536 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Send a SUCCEEDED stream event to the controller when a reverse - resolve succeeded. Fixes bug 3536; bugfix on 0.0.8pre1. Issue - discovered by katmagic. - diff --git a/changes/bug3577 b/changes/bug3577 deleted file mode 100644 index 6335272752..0000000000 --- a/changes/bug3577 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Allow GETINFO fingerprint to return a fingerprint even when - we have not yet built a router descriptor. Fixes bug 3577; - bugfix on 0.2.0.1-alpha. diff --git a/changes/bug3607 b/changes/bug3607 deleted file mode 100644 index 5ece21934b..0000000000 --- a/changes/bug3607 +++ /dev/null @@ -1,15 +0,0 @@ - o Minor bugfixes: - - - Write several files in text mode, on OSes that distinguish text - mode from binary mode (namely, Windows). These files are: - buffer-stats, dirreq-stats, and entry-stats on relays that collect - those statistics; client_keys and hostname files for hidden - services that use authentication; and (in the tor-gencert utility) - newly generated identity and signing keys. Previously, we - wouldn't specify text mode or binary mode, leading to an assertion - failure. Fixes bug 3607. Bugfix on 0.2.1.1-alpha (when the - DirRecordUsageByCountry option which would have triggered the - assertion failure was added), although this assertion failure - would have occurred in tor-gencert on Windows in 0.2.0.1-alpha. - - diff --git a/changes/bug3643 b/changes/bug3643 deleted file mode 100644 index 86bd920cac..0000000000 --- a/changes/bug3643 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Selectively disable deprecation warnings on OS X because Lion started - deprecating the shipped copy of openssl. Fixes bug 3643. - diff --git a/changes/bug3732 b/changes/bug3732 deleted file mode 100644 index 7a71d1aef3..0000000000 --- a/changes/bug3732 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes: - - - Remove an extra pair of quotation marks around the error - message in control-port STATUS_GENERAL BUG events. Bugfix on - 0.1.2.6-alpha; fixes bug 3732. - - diff --git a/changes/bug3747 b/changes/bug3747 deleted file mode 100644 index 052dab1bd0..0000000000 --- a/changes/bug3747 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes: - - Write control ports to disk only after switching UID and - creating the data directory. This way, we don't fail when - starting up with a nonexistant DataDirectory and a - ControlPortWriteToFile setting based on that directory. Fixes - bug 3747; bugfix on Tor 0.2.2.26-beta.
\ No newline at end of file diff --git a/changes/bug3894 b/changes/bug3894 deleted file mode 100644 index 4c2220aba8..0000000000 --- a/changes/bug3894 +++ /dev/null @@ -1,4 +0,0 @@ - o Build fixes: - - Clean up some code issues that prevented Tor from building on older - BSDs. Fixes bug 3894; reported by grarpamp. - diff --git a/changes/bug3898a b/changes/bug3898a deleted file mode 100644 index d40445e340..0000000000 --- a/changes/bug3898a +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - Correct the man page to explain that HashedControlPassword and - CookieAuthentication can both be set, in which case either method - is sufficient to authenticate to Tor. Bugfix on 0.2.0.7-alpha, - when we decided to allow these config options to both be set. Issue - raised by bug 3898. diff --git a/changes/bug3909 b/changes/bug3909 deleted file mode 100644 index 0b4b292030..0000000000 --- a/changes/bug3909 +++ /dev/null @@ -1,3 +0,0 @@ - o Build fixes: - - Search for a platform-specific version of "ar" when cross-compiling. - Should fix builds on iOS. Found by Marco Bonetti. diff --git a/changes/bug3923 b/changes/bug3923 deleted file mode 100644 index 9c0e138826..0000000000 --- a/changes/bug3923 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfies: - - Avoid an assertion failure when reloading a configuration with - TrackExitHosts changes. Found and fixed by 'laruldan'. Fixes - bug 3923; bugfix on 0.2.2.25-alpha. - diff --git a/changes/bug3963 b/changes/bug3963 deleted file mode 100644 index 2fc44a095c..0000000000 --- a/changes/bug3963 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - When configuring, starting, or stopping an NT service, stop - immediately after the service configuration attempt has succeeded - or failed. Fixes bug3963; bugfix on 0.2.0.7-alpha. - diff --git a/changes/bug4012_022 b/changes/bug4012_022 deleted file mode 100644 index f101db5535..0000000000 --- a/changes/bug4012_022 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (documentation): - - Document the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays - directory authority option (introduced in Tor 0.2.2.34). diff --git a/changes/bug4014 b/changes/bug4014 deleted file mode 100644 index 9c20c6c337..0000000000 --- a/changes/bug4014 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Adjust the expiration time on our SSL session certificates to - better match SSL certs seen in the wild. Resolves ticket 4014. diff --git a/changes/bug4059 b/changes/bug4059 deleted file mode 100644 index 82a4b1a10c..0000000000 --- a/changes/bug4059 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Change an integer overflow check in the OpenBSD_Malloc code so - that GCC is less likely to eliminate it as impossible. Patch - from Mansour Moufid. Fixes bug 4059. - diff --git a/changes/bug4115 b/changes/bug4115 deleted file mode 100644 index 626791a806..0000000000 --- a/changes/bug4115 +++ /dev/null @@ -1,7 +0,0 @@ - o Security fixes: - - Bridge relays now do their directory fetches inside Tor TLS - connections, like all the other clients do, rather than connecting - directly to the DirPort like public relays do. Removes another - avenue for enumerating bridges. Fixes part of bug 4115; bugfix - on 0.2.0.35. - diff --git a/changes/bug4124 b/changes/bug4124 deleted file mode 100644 index abe93ccdd8..0000000000 --- a/changes/bug4124 +++ /dev/null @@ -1,6 +0,0 @@ - o Security fixes: - - Bridges relays now build circuits for themselves in a more similar - way to how clients build them. Removes another avenue for - enumerating bridges. Fixes bug 4124; bugfix on 0.2.0.3-alpha, - when bridges were introduced. - diff --git a/changes/bug4201 b/changes/bug4201 deleted file mode 100644 index 6f7d715af2..0000000000 --- a/changes/bug4201 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Bridges now skip DNS self-tests, to act a little more stealthily. - Fixes bug 4201; bugfix on 0.2.0.3-alpha, which first introduced - bridges. Patch by "warms0x". - diff --git a/changes/bug4212 b/changes/bug4212 deleted file mode 100644 index 6222a59978..0000000000 --- a/changes/bug4212 +++ /dev/null @@ -1,13 +0,0 @@ - o Major bugfixes: - - - Don't launch a useless circuit after failing to use one of a - hidden service's introduction points. Previously, we would - launch a new introduction circuit, but not set the hidden - service which that circuit was intended to connect to, so it - would never actually be used. A different piece of code would - then create a new introduction circuit correctly, so this bug - was harmless until it caused an assertion in the client-side - part of the #3825 fix to fail. Bug reported by katmagic and - found by Sebastian Hahn. Bugfix on 0.2.1.13-alpha; fixes bug - 4212. - diff --git a/changes/bug4230 b/changes/bug4230 deleted file mode 100644 index c1ba5847fc..0000000000 --- a/changes/bug4230 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Resolve an integer overflow bug in smartlist_ensure_capacity. - Fixes bug 4230; bugfix on Tor 0.1.0.1-rc. Based on a patch by - Mansour Moufid. - diff --git a/changes/bug4251 b/changes/bug4251 deleted file mode 100644 index 303c9e6364..0000000000 --- a/changes/bug4251 +++ /dev/null @@ -1,8 +0,0 @@ - o Minor bugfixes: - - - When a hidden service turns an extra service-side introduction - circuit into a general-purpose circuit, free the rend_data and - intro_key fields first, so they won't be leaked if the circuit - is cannibalized for use as another service-side introduction - circuit. Bugfix on 0.2.1.7-alpha; fixes bug 4251. - diff --git a/changes/bug4259 b/changes/bug4259 deleted file mode 100644 index bfccd3aee8..0000000000 --- a/changes/bug4259 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes: - - Fix a crash bug when changing node restrictions while a DNS lookup - is in-progress. Fixes bug 4259; bugfix on 0.2.2.25-alpha. Bugfix - by "Tey'". diff --git a/changes/bug4299 b/changes/bug4299 deleted file mode 100644 index c43d81460a..0000000000 --- a/changes/bug4299 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfix: - - Do not process cells on a marked-for-close connection. We previously - avoided this by not calling read handlers on marked connections, but - that's not adequate for the case when cells are very small. Fixes - bug 4299; bugfix on 0.2.0.20-rc which first made small cells possible. diff --git a/changes/bug4309 b/changes/bug4309 deleted file mode 100644 index f4f910e7ff..0000000000 --- a/changes/bug4309 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Remove a confusing dollar sign from the example fingerprint in the - man page, and also make example fingerprint a valid one. Fixes bug - 4309; bugfix on 0.2.1.3-alpha. - diff --git a/changes/bug4331 b/changes/bug4331 deleted file mode 100644 index 011238a962..0000000000 --- a/changes/bug4331 +++ /dev/null @@ -1,4 +0,0 @@ - o Trivial fixes: - - Fixed a typo in a hibernation-related log message. Fixes bug 4331; - bugfix on 0.2.2.23-alpha; found by "tmpname0901". - diff --git a/changes/bug4340 b/changes/bug4340 deleted file mode 100644 index 08098b1cd5..0000000000 --- a/changes/bug4340 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes: - - Don't crash when we're running as a relay and don't have a geoip - file. Bugfix on tor-0.2.2.34; fixes bug 4340. This backports a fix - we've had in master already. - diff --git a/changes/bug4349 b/changes/bug4349 deleted file mode 100644 index 633916bdfd..0000000000 --- a/changes/bug4349 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - When sending a NETINFO cell, include the original address - received for the other side, not its canonical address. Found - by "troll_un"; fixes bug 4349; bugfix on 0.2.0.10-alpha. diff --git a/changes/bug4353 b/changes/bug4353 deleted file mode 100644 index 5e80c902c8..0000000000 --- a/changes/bug4353 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes: - - When running as client without a geoip database, do not print a - misleading (and plain wrong) log message that we're collecting - dirreq statistics - we're not collecting statistics as clients. - Also don't create a useless (because empty) stats file in the - stats/ directory. Fixes bug 4353, bugfix on 0.2.2.34. - diff --git a/changes/bug4383 b/changes/bug4383 deleted file mode 100644 index e618b8c8fb..0000000000 --- a/changes/bug4383 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Fix a memleak in launch_direct_bridge_descriptor_fetch() that - occured when a client tried to fetch a descriptor for a bridge - in ExcludeNodes. Fixes #4383; bugfix on 0.2.2.25-alpha. - diff --git a/changes/bug4410 b/changes/bug4410 deleted file mode 100644 index f42893adf4..0000000000 --- a/changes/bug4410 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes: - - Correctly sanity-check that we don't underflow on a memory allocation - for introduction point decryption. Bug discovered by Dan Rosenberg. - Fixes bug 4410; bugfix on 0.2.1.5-alpha. - diff --git a/changes/bug4424 b/changes/bug4424 deleted file mode 100644 index 443625dca6..0000000000 --- a/changes/bug4424 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes - - - Don't leak memory when we check whether a hidden service - descriptor has any usable introduction points left. Fixes bug - 4424. Bugfix on 0.2.2.25-alpha. - diff --git a/changes/bug4426 b/changes/bug4426 deleted file mode 100644 index 1322243d09..0000000000 --- a/changes/bug4426 +++ /dev/null @@ -1,8 +0,0 @@ - o Minor features: - - - When Tor ignores a hidden service specified in its - configuration, include the hidden service's directory in the - warning message. Previously, we would only tell the user that - some hidden service was ignored. Bugfix on 0.0.6; fixes bug - 4426. - diff --git a/changes/bug4437 b/changes/bug4437 deleted file mode 100644 index 985c670b15..0000000000 --- a/changes/bug4437 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Don't warn about unused log_mutex in log.c when building with - --disable-threads using a recent GCC. Fixes bug 4437; bugfix on - 0.1.0.6-rc which introduced --disable-threads. - diff --git a/changes/bug4457 b/changes/bug4457 deleted file mode 100644 index fe7c95ff80..0000000000 --- a/changes/bug4457 +++ /dev/null @@ -1,9 +0,0 @@ - o Minor bugfixes: - - Initialize Libevent with the EVENT_BASE_FLAG_NOLOCK flag enabled, so - that it doesn't attempt to allocate a socketpair. This could cause - some problems on windows systems with overzealous firewalls. Fix for - bug 4457; workaround for Libevent versions 2.0.1-alpha through - 2.0.15-stable. - - - Detect failure to initialize Libevent. Better detection for bug 4457. - diff --git a/changes/bug4518 b/changes/bug4518 deleted file mode 100644 index 8dcb93bf72..0000000000 --- a/changes/bug4518 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (performance): - - Avoid frequent calls to the fairly expensive cull_wedged_cpuworkers - function. This was eating up hideously large amounts of time on some - busy servers. Fixes bug 4518. diff --git a/changes/bug4521 b/changes/bug4521 deleted file mode 100644 index 9b0bae9b00..0000000000 --- a/changes/bug4521 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Backport fixes for a pair of compilation warnings on Windows. - Fixes bug 4521; bugfix on 0.2.2.28-beta and on 0.2.2.29-beta. diff --git a/changes/bug4529 b/changes/bug4529 deleted file mode 100644 index 89d10b2f6b..0000000000 --- a/changes/bug4529 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bufixes: - - If we had ever tried to call tor_addr_to_str on an address of - unknown type, we would have done a strdup on an uninitialized - buffer. Now we won't. Fixes bug 4529; bugfix on 0.2.1.3-alpha. - Reported by "troll_un". diff --git a/changes/bug4530 b/changes/bug4530 deleted file mode 100644 index 7cd4726e57..0000000000 --- a/changes/bug4530 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - - Correctly detect and handle transient lookup failures from - tor_addr_lookup. Fixes bug 4530; bugfix on 0.2.1.5-alpha. - Reported by "troll_un". - diff --git a/changes/bug4531 b/changes/bug4531 deleted file mode 100644 index 6209f9a058..0000000000 --- a/changes/bug4531 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes: - - Fix null-pointer access that could occur if TLS allocation failed. - Fixes bug 4531; bugfix on 0.2.0.20-rc. Found by "troll_un". - diff --git a/changes/bug4533_part2 b/changes/bug4533_part2 deleted file mode 100644 index 7e0f7c313e..0000000000 --- a/changes/bug4533_part2 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes: - - Fix the SOCKET_OK test that we use to tell when socket - creation fails so that it works on Win64. Fixes part of bug - 4533; bugfix on 0.2.2.29-beta. Bug found by wanoskarnet. - diff --git a/changes/bug4535 b/changes/bug4535 deleted file mode 100644 index 57ced29d0b..0000000000 --- a/changes/bug4535 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Use tor_socket_t type for listener argument to accept(). Fixes bug - 4535; bugfix on 0.2.2.28-beta. Found by "troll_un". diff --git a/changes/bug4786 b/changes/bug4786 deleted file mode 100644 index 7c1c60f632..0000000000 --- a/changes/bug4786 +++ /dev/null @@ -1,9 +0,0 @@ - - Feature removal: - - When sending or relaying a RELAY_EARLY cell, we used to convert - it to a RELAY cell if the connection was using the v1 link - protocol. This was a workaround for older versions of Tor, which - didn't handle RELAY_EARLY cells properly. Now that all supported - versions can handle RELAY_EARLY cells, and now that we're - enforcing the "no RELAY_EXTEND commands except in RELAY_EARLY - cells" rule, we're removing this workaround. Addresses bug 4786. - diff --git a/changes/bug4788 b/changes/bug4788 deleted file mode 100644 index d65c0015a0..0000000000 --- a/changes/bug4788 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor features (directory server): - - Directory servers now reject versions of Tor older than 0.2.1.30, - and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha - (inclusive). These versions accounted for only a small fraction of - the Tor network, and have numerous known security issues. Resolves - issue #4788. diff --git a/changes/bug4803 b/changes/bug4803 deleted file mode 100644 index cd25266c75..0000000000 --- a/changes/bug4803 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Correctly spell "connect" in a log message when creating a controlsocket - fails. Fixes bug 4803; bugfix on 0.2.2.26-beta/0.2.3.2-alpha. - diff --git a/changes/bug4822 b/changes/bug4822 deleted file mode 100644 index 73f43f0452..0000000000 --- a/changes/bug4822 +++ /dev/null @@ -1,13 +0,0 @@ - o Major security workaround: - - When building or running with any version of OpenSSL earlier - than 0.9.8s or 1.0.0f, disable SSLv3 support. These versions had - a bug (CVE-2011-4576) in which their block cipher padding - included uninitialized data, potentially leaking sensitive - information to any peer with whom they made a SSLv3 - connection. Tor does not use SSL v3 by default, but a hostile - client or server could force an SSLv3 connection in order to - gain information that they shouldn't have been able to get. The - best solution here is to upgrade to OpenSSL 0.9.8s or 1.0.0f (or - later). But when building or running with a non-upgraded - OpenSSL, we should instead make sure that the bug can't happen - by disabling SSLv3 entirely. diff --git a/changes/bug4856 b/changes/bug4856 deleted file mode 100644 index fa284a09f5..0000000000 --- a/changes/bug4856 +++ /dev/null @@ -1,3 +0,0 @@ - o Trivial bugfixes - - Fix a typo in a log message in rend_service_rendezvous_has_opened(). - Fixes bug 4856; bugfix on Tor 0.0.6. diff --git a/changes/bug5005 b/changes/bug5005 deleted file mode 100644 index 04d8dfe6a5..0000000000 --- a/changes/bug5005 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Update "ClientOnly" man page entry to explain that there isn't - really any point to messing with it. Resolves ticket 5005. diff --git a/changes/bug5065 b/changes/bug5065 deleted file mode 100644 index d195313623..0000000000 --- a/changes/bug5065 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes: - - Fix build if path to sed, openssl or sha1sum contains spaces. - This is pretty common on Windows. Fixes bug 5065; bugfix on - 0.2.2.1-alpha. - diff --git a/changes/bug5067 b/changes/bug5067 deleted file mode 100644 index d94b921ce9..0000000000 --- a/changes/bug5067 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (usability): - - Downgrade the "We're missing a certificate" message from notice - to info: people kept mistaking it for a real problem, whereas it - is only a problem when we are failing to bootstrap. Fixes bug - 5067; bugfix on 0.2.10-alpha. diff --git a/changes/bug5090 b/changes/bug5090 deleted file mode 100644 index d47858cb11..0000000000 --- a/changes/bug5090 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes: - - Detect and reject certain misformed escape sequences in configuration - values. Previously, these values would cause us to crash if received - in a torrc file or over an (authenticated) control port. Bug found by - Esteban Manchado Velázquez. Patch by Alexander Schrijver. Fix for - bug 5090; bugfix on 0.2.0.16-alpha. - diff --git a/changes/bug5340 b/changes/bug5340 deleted file mode 100644 index 708988af08..0000000000 --- a/changes/bug5340 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Fix a compile warning when using the --enable-openbsd-malloc configure - option. Fixes bug 5340; bugfix on 0.2.0.20-rc. diff --git a/changes/bug5342 b/changes/bug5342 deleted file mode 100644 index b2ae4515a9..0000000000 --- a/changes/bug5342 +++ /dev/null @@ -1,3 +0,0 @@ - o Security fixes: - - Never use a bridge as an exit, even if it claims to be one. Found by - wanoskarnet. Fixes bug 5342. Bugfix on ????. diff --git a/changes/bug5343 b/changes/bug5343 deleted file mode 100644 index e4e14897f6..0000000000 --- a/changes/bug5343 +++ /dev/null @@ -1,7 +0,0 @@ - o Security fixes: - - Only build circuits if we have a sufficient threshold of the total - descriptors marked in the consensus with the "Exit" flag. This - mitigates an attack proposed by wanoskarnet, in which all of a - client's bridges collude to restrict the exit nodes that the - client knows about. Fixes bug 5343. - diff --git a/changes/bug5593 b/changes/bug5593 deleted file mode 100644 index 358e8de60d..0000000000 --- a/changes/bug5593 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - When sending an HTTP/1.1 proxy request, include a Host header. - Fixes bug 5593; bugfix on 0.2.2.1-alpha. diff --git a/changes/bug5644 b/changes/bug5644 deleted file mode 100644 index a390eba996..0000000000 --- a/changes/bug5644 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes - - Prevent a client-side assertion failure when receiving an - INTRODUCE2 cell by an exit relay, in a general purpose - circuit. Fixes bug 5644; bugfix on tor-0.2.1.6-alpha - diff --git a/changes/bug5647 b/changes/bug5647 deleted file mode 100644 index 92f41c8559..0000000000 --- a/changes/bug5647 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes: - - Avoid logging uninitialized data when unable to decode a hidden - service descriptor cookie. Fixes bug 5647; bugfix on 0.2.1.5-alpha. - diff --git a/changes/bug5760 b/changes/bug5760 deleted file mode 100644 index a26407b588..0000000000 --- a/changes/bug5760 +++ /dev/null @@ -1,3 +0,0 @@ - o Major bugfixes: - - End AUTHCHALLENGE error response messages with a CRLF. Fixes bug 5760; - bugfix on 0.2.3.16-alpha, and backported to maint-0.2.2 diff --git a/changes/bug5786_range b/changes/bug5786_range deleted file mode 100644 index 40ac4d2467..0000000000 --- a/changes/bug5786_range +++ /dev/null @@ -1,8 +0,0 @@ - o Minor bugfixes: - - Make our number-parsing functions always treat too-large values - as an error, even when those values exceed the width of the - underlying type. Previously, if the caller provided these - functions with minima or maxima set to the extreme values of the - underlying integer type, these functions would return those - values on overflow rather than treating overflow as an error. - Fix for part of bug 5786; bugfix on Tor 0.0.9.
\ No newline at end of file diff --git a/changes/check-fetched-rend-desc-service-id b/changes/check-fetched-rend-desc-service-id deleted file mode 100644 index 2f37c30216..0000000000 --- a/changes/check-fetched-rend-desc-service-id +++ /dev/null @@ -1,7 +0,0 @@ - o Security fixes: - - When fetching a hidden service descriptor, check that it is for - the hidden service we were trying to connect to, in order to - stop a directory from pre-seeding a client with a descriptor for - a hidden service that they didn't want. Bugfix on 0.0.6. - - diff --git a/changes/check-public-key-exponents b/changes/check-public-key-exponents deleted file mode 100644 index a8d00673be..0000000000 --- a/changes/check-public-key-exponents +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Require that introduction point keys and onion keys have public - exponent 65537. Bugfix on 0.2.0.10-alpha. - - diff --git a/changes/cid_428 b/changes/cid_428 deleted file mode 100644 index cb0fc8c2b2..0000000000 --- a/changes/cid_428 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Always NUL-terminate the sun_path field of a sockaddr_un before - passing it to the kernel. (Not a security issue: kernels are - smart enough to reject bad sockaddr_uns.) Found by Coverity; CID - # 428. Bugfix on Tor 0.2.0.3-alpha. diff --git a/changes/cid_450 b/changes/cid_450 deleted file mode 100644 index 2045fca239..0000000000 --- a/changes/cid_450 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Don't stack-allocate the list of supplementary GIDs when we're - about to log them. Stack-allocating NGROUPS_MAX gid_t elements - could take up to 256K, which is way too much stack. Found by - Coverity; CID #450. Bugfix on 0.2.1.7-alpha. diff --git a/changes/clang_30_options b/changes/clang_30_options deleted file mode 100644 index e8e34c8e3e..0000000000 --- a/changes/clang_30_options +++ /dev/null @@ -1,5 +0,0 @@ - o Code simplifications and refactoring: - - During configure, detect when we're building with clang version 3.0 or - lower and disable the -Wnormalized=id and -Woverride-init CFLAGS. - clang doesn't support them yet. - diff --git a/changes/cov479 b/changes/cov479 deleted file mode 100644 index afbaffc63b..0000000000 --- a/changes/cov479 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Fix internal bug-checking logic that was supposed to catch - failures in digest generation so that it will fail more robustly - if we ask for a nonexistent algorithm. Found by Coverity Scan. - Bugfix on 0.2.2.1-alpha; fixes Coverity CID 479. diff --git a/changes/cov484 b/changes/cov484 deleted file mode 100644 index 33adbda18c..0000000000 --- a/changes/cov484 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Report any failure in init_keys() calls done because our IP address - has changed. Spotted by Coverity Scan. Bugfix on 0.1.1.4-alpha; - fixes CID 484. diff --git a/changes/coverity_maint b/changes/coverity_maint deleted file mode 100644 index e7be90a485..0000000000 --- a/changes/coverity_maint +++ /dev/null @@ -1,9 +0,0 @@ - o Code simplifications and refactoring: - - Remove some dead code as indicated by coverity. - - Remove a few dead assignments during router parsing. Found by coverity. - o Minor bugfixes: - - Add some forgotten return value checks during unit tests. Found - by coverity. - - Don't use 1-bit wide signed bit fields. Found by coverity. - - Fix a rare memory leak during stats writing. Found by coverity. - diff --git a/changes/dirreq-stats-default b/changes/dirreq-stats-default deleted file mode 100644 index df7ac11425..0000000000 --- a/changes/dirreq-stats-default +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features: - - Turn on directory request statistics by default and include them in - extra-info descriptors. Don't break if we have no GeoIP database. - Backported from 0.2.3.1-alpha; implements ticket 3951. - diff --git a/changes/dirvote_null_deref b/changes/dirvote_null_deref deleted file mode 100644 index 65dc519f52..0000000000 --- a/changes/dirvote_null_deref +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Fix a potential null-pointer dereference while computing a consensus. - Bugfix on tor-0.2.0.3-alpha, found with the help of clang's analyzer. - diff --git a/changes/exit-policy-default-is-not-a-prefix b/changes/exit-policy-default-is-not-a-prefix deleted file mode 100644 index 6eb1e8df99..0000000000 --- a/changes/exit-policy-default-is-not-a-prefix +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Remove a trailing asterisk from "exit-policy/default" in the - output of the control port command "GETINFO info/names". Bugfix - on 0.1.2.5-alpha. - diff --git a/changes/feature3049 b/changes/feature3049 deleted file mode 100644 index 7960a1f475..0000000000 --- a/changes/feature3049 +++ /dev/null @@ -1,6 +0,0 @@ - o Major features: - - Add an __OwningControllerProcess configuration option and a - TAKEOWNERSHIP control-port command, so that a Tor controller can - ensure that when it exits, Tor will shut down. Implements - feature 3049. - diff --git a/changes/feature3076 b/changes/feature3076 deleted file mode 100644 index a3dcec8741..0000000000 --- a/changes/feature3076 +++ /dev/null @@ -1,14 +0,0 @@ - o Minor features - - The options SocksPort, ControlPort, and so on now all accept an - optional value "auto" that opens a socket on an OS-selected port. - o Minor features (controller) - - GETINFO net/listeners/(type) now returns a list of the addresses - and ports that are bound for listeners for a given connection - type. This is useful for if the user has selected SocksPort - "auto", and you need to know which port got chosen. - - There is a ControlPortWriteToFile option that tells Tor to write - its actual control port or ports to a chosen file. If the option - ControlPortFileGroupReadable is set, the file is created as - group-readable. - - diff --git a/changes/feature4484 b/changes/feature4484 deleted file mode 100644 index 78154e9649..0000000000 --- a/changes/feature4484 +++ /dev/null @@ -1,8 +0,0 @@ - o Minor features: - - Add two new config options for directory authorities: - AuthDirFastGuarantee sets a bandwidth threshold for guaranteeing the - Fast flag, and AuthDirGuardBWGuarantee sets a bandwidth threshold - that is always sufficient to satisfy the bandwidth requirement for - the Guard flag. Now it will be easier for researchers to simulate - Tor networks with different values. Resolves ticket 4484. - diff --git a/changes/fix-connection_printf_to_buf b/changes/fix-connection_printf_to_buf deleted file mode 100644 index e191eac8a5..0000000000 --- a/changes/fix-connection_printf_to_buf +++ /dev/null @@ -1,15 +0,0 @@ - * Code simplifications and refactoring: - - - Make connection_printf_to_buf's behaviour sane. Its callers - expect it to emit a CRLF iff the format string ends with CRLF; - it actually emits a CRLF iff (a) the format string ends with - CRLF or (b) the resulting string is over 1023 characters long or - (c) the format string does not end with CRLF ''and'' the - resulting string is 1021 characters long or longer. Bugfix on - 0.1.1.9-alpha; fixes part of bug 3407. - - - Make send_control_event_impl's behaviour sane. Its callers - expect it to always emit a CRLF at the end of the string; it - might emit extra control characters as well. Bugfix on - 0.1.1.9-alpha; fixes another part of bug 3407. - diff --git a/changes/fmt_addr b/changes/fmt_addr deleted file mode 100644 index b88c9e1bf4..0000000000 --- a/changes/fmt_addr +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - When unable to format an address as a string, report its value - as "???" rather than reusing the last formatted address. Bugfix - on 0.2.1.5-alpha. diff --git a/changes/geoip-april2012 b/changes/geoip-april2012 deleted file mode 100644 index 66720c6d69..0000000000 --- a/changes/geoip-april2012 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the April 3 2012 Maxmind GeoLite Country database. - diff --git a/changes/geoip-august2011 b/changes/geoip-august2011 deleted file mode 100644 index 6de8b0f29c..0000000000 --- a/changes/geoip-august2011 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the August 2 2011 Maxmind GeoLite Country database. - diff --git a/changes/geoip-december2011 b/changes/geoip-december2011 deleted file mode 100644 index 82a708de62..0000000000 --- a/changes/geoip-december2011 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the December 6 2011 Maxmind GeoLite Country database. - diff --git a/changes/geoip-february2012 b/changes/geoip-february2012 deleted file mode 100644 index 0711654021..0000000000 --- a/changes/geoip-february2012 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the February 7 2012 Maxmind GeoLite Country database. - diff --git a/changes/geoip-january2012 b/changes/geoip-january2012 deleted file mode 100644 index 2f4180e578..0000000000 --- a/changes/geoip-january2012 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the January 3 2012 Maxmind GeoLite Country database. - diff --git a/changes/geoip-july2011 b/changes/geoip-july2011 deleted file mode 100644 index 7a9f119be0..0000000000 --- a/changes/geoip-july2011 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the July 1 2011 Maxmind GeoLite Country database. - diff --git a/changes/geoip-june2011 b/changes/geoip-june2011 deleted file mode 100644 index 8cf011b723..0000000000 --- a/changes/geoip-june2011 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the June 1 2011 Maxmind GeoLite Country database. - diff --git a/changes/geoip-march2012 b/changes/geoip-march2012 deleted file mode 100644 index 0f66d8fae2..0000000000 --- a/changes/geoip-march2012 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the March 6 2012 Maxmind GeoLite Country database. - diff --git a/changes/geoip-may2011 b/changes/geoip-may2011 deleted file mode 100644 index c908f24b45..0000000000 --- a/changes/geoip-may2011 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the May 1 2011 Maxmind GeoLite Country database. - diff --git a/changes/geoip-november2011 b/changes/geoip-november2011 deleted file mode 100644 index 3aa8dc05c2..0000000000 --- a/changes/geoip-november2011 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the November 1 2011 Maxmind GeoLite Country database. - diff --git a/changes/geoip-october2011 b/changes/geoip-october2011 deleted file mode 100644 index d5b6910edb..0000000000 --- a/changes/geoip-october2011 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the October 4 2011 Maxmind GeoLite Country database. - diff --git a/changes/geoip-september2011 b/changes/geoip-september2011 deleted file mode 100644 index c41314b1f0..0000000000 --- a/changes/geoip-september2011 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the September 6 2011 Maxmind GeoLite Country database. - diff --git a/changes/ides-becomes-turtles b/changes/ides-becomes-turtles deleted file mode 100644 index 09d964fe9b..0000000000 --- a/changes/ides-becomes-turtles +++ /dev/null @@ -1,4 +0,0 @@ - o Directory authority changes: - - Change IP address for ides (v3 directory authority), and rename it to - turtles. - diff --git a/changes/issue-2011-10-19L b/changes/issue-2011-10-19L deleted file mode 100644 index b879c9d401..0000000000 --- a/changes/issue-2011-10-19L +++ /dev/null @@ -1,28 +0,0 @@ - o Security fixes: - - - Don't send TLS certificate chains on outgoing OR connections - from clients and bridges. Previously, each client or bridge - would use a single cert chain for all outgoing OR connections - for up to 24 hours, which allowed any relay connected to by a - client or bridge to determine which entry guards it is using. - This is a potential user-tracing bug for *all* users; everyone - who uses Tor's client or hidden service functionality should - upgrade. Fixes CVE-2011-2768. Bugfix on FIXME; found by - frosty_un. - - - Don't use any OR connection on which we have received a - CREATE_FAST cell to satisfy an EXTEND request. Previously, we - would not consider whether a connection appears to be from a - client or bridge when deciding whether to use that connection to - satisfy an EXTEND request. Mitigates CVE-2011-2768, by - preventing an attacker from determining whether an unpatched - client is connected to a patched relay. Bugfix on FIXME; found - by frosty_un. - - - Don't assign the Guard flag to relays running a version of Tor - which would use an OR connection on which it has received a - CREATE_FAST cell to satisfy an EXTEND request. Mitigates - CVE-2011-2768, by ensuring that clients will not connect - directly to any relay which an attacker could probe for an - unpatched client's connections. - diff --git a/changes/issue-2011-10-23G b/changes/issue-2011-10-23G deleted file mode 100644 index 45f86754f0..0000000000 --- a/changes/issue-2011-10-23G +++ /dev/null @@ -1,9 +0,0 @@ - o Security fixes: - - - Reject CREATE and CREATE_FAST cells on outgoing OR connections - from a bridge to a relay. Previously, we would accept them and - handle them normally, thereby allowing a malicious relay to - easily distinguish bridges which connect to it from clients. - Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha, when bridges were - implemented; found by frosty_un. - diff --git a/changes/maatuska-ip b/changes/maatuska-ip deleted file mode 100644 index a00b43f866..0000000000 --- a/changes/maatuska-ip +++ /dev/null @@ -1,3 +0,0 @@ - o Directory authority changes: - - Change IP address for maatuska (v3 directory authority). - diff --git a/changes/md_cache_replace b/changes/md_cache_replace deleted file mode 100644 index 88e029c00a..0000000000 --- a/changes/md_cache_replace +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes - - Avoid a bug that would keep us from replacing a microdescriptor - cache on Windows. (We would try to replace the file while still - holding it open. That's fine on Unix, but Windows doesn't let us - do that.) Bugfix on 0.2.2.6-alpha; bug found by wanoskarnet. - diff --git a/changes/mdesc_null_deref b/changes/mdesc_null_deref deleted file mode 100644 index 30f0280536..0000000000 --- a/changes/mdesc_null_deref +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Avoid a possible null-pointer dereference when rebuilding the mdesc - cache without actually having any descriptors to cache. Bugfix on - 0.2.2.6-alpha. Issue discovered using clang's static analyzer. - diff --git a/changes/memleak_rendcache b/changes/memleak_rendcache deleted file mode 100644 index 93b1f6141b..0000000000 --- a/changes/memleak_rendcache +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Fix a memory leak when receiving a descriptor for a hidden - service we didn't ask for. Found by Coverity; CID#30. Bugfix on - 0.2.2.26-beta. diff --git a/changes/msvc_lround b/changes/msvc_lround deleted file mode 100644 index e4aea95351..0000000000 --- a/changes/msvc_lround +++ /dev/null @@ -1,4 +0,0 @@ - o Build fixes: - - Provide a substitute implementation of lround() for MSVC, which - apparently lacks it. Patch from Gisle Vanem. - diff --git a/changes/replay-firstpart b/changes/replay-firstpart deleted file mode 100644 index f4a7767fb1..0000000000 --- a/changes/replay-firstpart +++ /dev/null @@ -1,13 +0,0 @@ - o Minor features (security): - - - Check for replays of the public-key encrypted portion of an - INTRODUCE1 cell, in addition to the current check for replays of - the g^x value. This prevents a possible class of active attacks - by an attacker who controls both an introduction point and a - rendezvous point, and who uses the malleability of AES-CTR to - alter the encrypted g^x portion of the INTRODUCE1 cell. We - think that these attacks is infeasible (requiring the attacker - to send on the order of zettabytes of altered cells in a short - interval), but we'd rather block them off in case there are any - classes of this attack that we missed. Reported by dvorak. - diff --git a/changes/safecookie b/changes/safecookie deleted file mode 100644 index fd7d7af2b0..0000000000 --- a/changes/safecookie +++ /dev/null @@ -1,9 +0,0 @@ - o Security Features: - - Provide controllers with a safer way to implement the cookie - authentication mechanism. With the old method, if another locally - running program could convince a controller that it was the Tor - process, then that program could trick the contoller into - telling it the contents of an arbitrary 32-byte file. The new - "SAFECOOKIE" authentication method uses a challenge-response - approach to prevent this. Fixes bug 5185, implements proposal 193. - diff --git a/changes/ticket-4063 b/changes/ticket-4063 deleted file mode 100644 index 6a985b8c25..0000000000 --- a/changes/ticket-4063 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (usability): - - Downgrade log messages about circuit timeout calibration from - "notice" to "info": they don't require or suggest any human - intervention. Patch from Tom Lowenthal. Fixes bug 4063; - bugfix on 0.2.2.14-alpha. - diff --git a/changes/timersub_bug b/changes/timersub_bug deleted file mode 100644 index 9183862677..0000000000 --- a/changes/timersub_bug +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes: - - Provide correct replacements for the timeradd() and timersub() functions - for platforms that lack them (for example, windows). The timersub() - function is used when expiring circuits, timeradd() is currently unused. - Patch written by Vektor, who also reported the bug. Thanks! Bugfix - on 0.2.2.24-alpha/0.2.3.1-alpha, fixes bug 4778. - diff --git a/changes/typo-fix-ohkah8Ah b/changes/typo-fix-ohkah8Ah deleted file mode 100644 index 9b4e5c08cc..0000000000 --- a/changes/typo-fix-ohkah8Ah +++ /dev/null @@ -1,9 +0,0 @@ - * Minor bugfixes: - - - Clarify a log message specifying the characters permitted in - HiddenServiceAuthorizeClient client names. Previously, the log - message said that "[A-Za-z0-9+-_]" were permitted; that could - have given the impression that every ASCII character between "+" - and "_" was permitted. Now we say "[A-Za-z0-9+_-]". Bugfix on - 0.2.1.5-alpha. - diff --git a/changes/win-bundle-path b/changes/win-bundle-path deleted file mode 100644 index 32ff514ef2..0000000000 --- a/changes/win-bundle-path +++ /dev/null @@ -1,4 +0,0 @@ - o Packaging changes: - - Remove absolute path from makensis.exe command to build Tor expert bundle - in order to make it easier to automate package builds - diff --git a/changes/windows_8 b/changes/windows_8 deleted file mode 100644 index 405e4fa158..0000000000 --- a/changes/windows_8 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - The next version of Windows will be called Windows 8, and it has a major - version of 6, minor version of 2. Correctly identify that version instead - of calling it "Very recent version". Fixes bug 4153; reported by funkstar. - diff --git a/configure.in b/configure.in index 424cccb874..d16f9e465a 100644 --- a/configure.in +++ b/configure.in @@ -4,7 +4,7 @@ dnl Copyright (c) 2007-2008, The Tor Project, Inc. dnl See LICENSE for licensing information AC_INIT -AM_INIT_AUTOMAKE(tor, 0.2.2.34-dev) +AM_INIT_AUTOMAKE(tor, 0.2.2.36) AM_CONFIG_HEADER(orconfig.h) AC_CANONICAL_HOST diff --git a/contrib/tor-mingw.nsi.in b/contrib/tor-mingw.nsi.in index 6b359ad8e0..417973b8e0 100644 --- a/contrib/tor-mingw.nsi.in +++ b/contrib/tor-mingw.nsi.in @@ -8,7 +8,7 @@ !include "LogicLib.nsh" !include "FileFunc.nsh" !insertmacro GetParameters -!define VERSION "0.2.2.34-dev" +!define VERSION "0.2.2.36" !define INSTALLER "tor-${VERSION}-win32.exe" !define WEBSITE "https://www.torproject.org/" !define LICENSE "LICENSE" diff --git a/src/win32/orconfig.h b/src/win32/orconfig.h index 238b3f7ac9..705fa2fc19 100644 --- a/src/win32/orconfig.h +++ b/src/win32/orconfig.h @@ -233,5 +233,5 @@ #define USING_TWOS_COMPLEMENT /* Version number of package */ -#define VERSION "0.2.2.34-dev" +#define VERSION "0.2.2.36" |